UK subsidiary alone cannot comply with EU representative obligation
In summary:
Even before the introduction of the GDPR in 2018, many American and Chinese companies were already conducting their European business activities via the UK (especially London). But what many companies continue to overlook is that the UK has not been a member of the EU since the end of 2020. However, the GDPR regularly requires data processing entities to appoint a representative based in the EU as a data protection contact person for data subjects and supervisory authorities.
1. Who needs an EU representative pursuant to Article 27 GDPR?
The EU representative requirement under Article 27 GDPR generally applies to all companies that do not have a subsidiary in the EU if they process personal data of EU citizens as a controller or processor and their business activities are directed at the EU market. The latter may be the case in particular if the company maintains a website in EU languages, offers goods and/or services in EU countries, displays prices in euros, places EU-specific advertising, or uses EU domains (e.g., “.de”).
Why a subsidiary in the UK is not sufficient for an EU representative under the GDPR
Before Brexit, the UK was a member of the EU, which is why foreign companies (e.g., from the US or China) with a UK subsidiary did not need a separate EU representative. The UK subsidiary automatically fulfilled this function. However, since Brexit on January 1, 2021, the UK has become a third country, which is why the appointment of a separate EU representative has become a legal requirement. For foreign companies that have neither a subsidiary in the EU nor in the UK, it may even be necessary to appoint both an EU representative and a UK representative.
2. Tasks of an EU representative
An EU representative acts as your company's data protection contact person in the EU, i.e., they handle data subject requests and are the point of contact and authorized representative for your company in dealings with data protection supervisory authorities. In addition, the EU representative maintains the processing directory for your company as required by Art. 30 GDPR.
3. What must businesses do now?
• Check whether your company is subject to representation requirements based on the criteria listed above.
• If this is the case: Appoint a representative for your company who is based in the EU.
• Include the EU representative as a contact person in your company's privacy policy.
• Ensure that the EU representative has access to all necessary internal company information in order to be able to respond to inquiries from authorities or data subjects.
4. What is unique about inteqrity as an EU representative
With decades of experience as specialized lawyers in data law and as external data protection officers, we understand exactly what is important when it comes to GDPR compliance and can handle complex issues pragmatically and in a solution-oriented manner. Due to our in-depth industry knowledge, we take industry-specific characteristics into account and develop tailor-made solutions for your company when needed. Our long-standing, trusting relationships with data protection supervisory authorities are particularly valuable and have already proven to be a decisive advantage in critical situations in the past. inteqrity offers you not only formal compliance, but also genuine data protection expertise when you really need it.