New Year’s ‘’Resolutions’’: Brexit and a GDPR Rep

November 19, 2020

The EU and UK are resuming their trade talks in Brussels. With the Brexit transitional period coming to a close, the aftermath of the US elections and COVID-19 developments are not the only things to keep an eye on in December. In about five weeks, all EU primary and secondary law will cease to apply to the United Kingdom. But not so fast: whilst the UK might leave the EU, many UK-based companies still operate cross-border. This has implications for the applicability of the General Data Protection Regulation (GDPR) and its data protection rules.

Territorial scope

The GDPR applies to companies based in a European Member State, but that is not all. Even with no offices, branches or other establishments in the EEA, companies might be subject to the GDPR if: (i) they process personal data of data subjects from the EU and (ii) offer goods and services and/or monitor EU data subjects’ behaviour. Non-EEA based companies that are subject to these provisions will still have to comply with the GDPR.

Due to the Brexit, companies cannot make use of their UK office as their European point of contact for privacy affairs anymore. In absence of another base inside the EEA, those companies are required to designate a GDPR Representative from December 31, 2020 onwards.

The GDPR Representative

The GDPR Representative operates under a mandate, and mainly acts as a local contact point for data subjects and data protection authorities in the EU. It enables EU authorities to enforce GDPR obligations effectively, as the GDPR Representative acts on the companies’ behalf. Companies have to inform data subjects about the appointment of the GDPR Representative. As details of the GDPR Representative should be easily accessible, not complying to the requirement will be relatively easy to spot.

Therefore, with Brexit and the end of 2020 approaching, it might be worth thinking about the designation of a GDPR Representative for your business.

Want to learn more? Privacy Company Director Arnold Roosendaal will be speaking at the PrivSec Global event on 3rd of December, where he will speak about Brexit and its privacy implications. Or simply reach out to Privacy Company. We'd be glad to answers your questions on the GDPR Representative.