A guide to the GDPR’s EU representative requirements

You might have heard increased chatter recently about the need for an EU representative under the GDPR (General Data Protection Regulation).

This rule applies to any organisation outside the EU that monitors the behaviour of, or provides goods or services to, EU residents.

The representative will be a point of contact for data subjects and supervisory authorities concerning data protection queries. They’ll also keep a record of data processing activities the organisation carries out.

This requirement wasn’t widely discussed in the UK when the GDPR took effect, because it didn’t apply. However – and we hope we’re not breaking news to you here – the UK will soon be leaving the EU, which means a swathe of organisations need to establish EU representatives.

Does this requirement affect all UK organisations?

UK organisations only need to appoint an EU representative if they monitor or provide goods or services to EU residents.

If you deal exclusively with UK-based customers, you therefore won’t be required to appoint an EU representative. That’s because as soon as the UK is no longer in the EU, your customers will cease to be EU residents.

However, if your data processing or monitoring extends to other EU member states, you’ll probably be required to appoint an EU representative. There are two exemptions:

  1. Organisations that have an office and employees based in the EU.
  2. Organisations whose processing activity is occasional, doesn’t include large-scale processing of special categories of data and is unlikely to result in a risk to the rights and freedoms of natural persons (see Article 27 of the GDPR for more information).

These exemptions don’t apply to public authorities, which must always have a DPO.

Selecting your EU representative

Your EU representative can be any natural or legal person who’s based in an EU member state within which you collect personal data.

If you only collect information from data subjects in, say, France, your EU representative must be based in France. However, if you collect personal data from the entirety of the EU, you can appoint a representative from any EU member state.

When you have multiple countries to choose from, it’s best to select the one in which you collect the most data or conduct the most extensive monitoring.

How the Brexit negotiations affect this requirement

UK organisations only need to have an EU representative once the UK is no longer a member of the EU. This was originally set to happen on 29 March 2019, but a delay is almost certain at this point, and that will in turn delay the date at which you need to appoint an EU representative.

But whereas most things Brexit-related remain uncertain, causing organisations to take a wait-and-see approach to business, the requirement for an EU representative is straightforward. The UK will in all likelihood be leaving the EU, whether that’s in a few weeks, months or a year, and at that point you’ll need an EU-based representative.

Appoint your EU representative before Brexit

You can find an EU representative quickly and easily with the help of our sister company GRCI Law.

Led by a team of lawyers, barristers, and information and cyber security experts, GRCI Law can take the strain of GDPR compliance, acting as your EU representative for personal data processing activities.

Find out more about GRCI Law’s GDPR EU Representative service >>