What does Brexit mean for the requirement of installing an EU Representative or an UK Representative?

Until now, only businesses based outside the EU were required to install a so-called EU Representative as a contact person for data protection issues under art. 27 GDPR.

Brexit – which will now come into effect at the end of the transitional period on 31. December 2020 – not only has implications for data protection law in the UK, but also places new requirements on businesses established either in the UK or within the EU and that provide services in the other jurisdiction requiring the transfer of data across the new border.

Especially in recent months, such cross-border data transfers – especially to the US – have been a much discussed topic. We already discussed this subject under the headings “Schrems II” and “EU-US PrivacyShield” in our previous issues of the ePrivacy newsletter.

Following Brexit, the UK is now also a “third country” from the GDPR’s point of view and businesses based in the UK that process personal data of EU residents must now appoint an EU Representative.

But the effects of Brexit go far beyond this: The UK will essentially retain the GDPR as a national law. This means that British data protection law will require a representative in the United Kingdom in the same way as art. 27 GDPR does – with the difference that the UK Representative must be established within the United Kingdom. The UK’s data protection authority, the ICO, has clarified this recently.​

This means that all businesses based outside the UK (including EU companies!) must appoint a UK Representative established within the UK if they continue to provide services in the UK and thereby process personal data of UK residents.

As a result, companies based outside of the EU will now have to appoint a UK Representative in addition to their existing EU Representative when processing personal data of British residents.

Unfortunately, this is not enough: In addition to the “UK Representative”, UK data protection law also requires the appointment of a data protection officer. However, this person does not need to be based in the UK, but can also be based in the EU – provided he or she has the necessary expertise in UK data protection law.

All of this can be summarised as follows: