UK representative

Are you required by Article 27 of the United Kingdoms General data protection regulation (UK GDPR) to appoint a UK representative?

If your business is not established in the United Kingdom and offers goods or services to, or is monitoring the behaviour of UK residents, then from 1st January 2021 UK GDPR almost certainly requires you to appoint a representative.

Failure to comply with Article 27 may result in a risk of regulatory fines of up to €10,000,000 or 2% of your global turnover (whichever is greater).

Article 27 GDPR representative

Our UK representative service

Article 27 GDPR representative

When you appoint Juksta to act as your representative in the United Kingdom, our services include:

  • Use of our UK based business address as your UK GDPR representative address.
  • Be named as your point of contact for the United Kingdom in your privacy notices.
  • Be addressed on all requests relating to your personal data processing activities from the UK Information Commissioner and UK data subjects.
  • Provide you with a data subject access request (DSAR) portal to assist you with processing requests from the UK Information Commissioner and UK data subjects.
  • Maintain records of processing activities relating to your personal data processing requests, as required by Article 30 of UK GDPR.

Why do you need to appoint a UK representative?

Firstly, many businesses outside the UK are surprised to learn that the General Data Protection Regulation (UK GDPR) may also apply to them, not just UK companies.

Article 3 (2) of UK GDPR sets out that GDPR applies to data controllers or processors not established in the United Kingdom when they are processing personal data of data subjects who are in the UK, and the processing activities relate to:

  • a) the offering of goods or services, irrespective of whether a payment of the data subject is required; or
  • b) the monitoring of their behaviour as far as their behaviour takes place within the UK.

If your business is outside the UK and you do either of these, then UK GDPR applies to you.

Secondly, Article 27 UK GDPR requires the appointment of an UK representative for businesses not established in the United Kingdom.

Article 27 (1) requires that data controllers or processors not established in the United Kingdom, which UK GDPR applies to, shall designate a representative in the United Kingdom.

Thirdly, UK GDPR is a significant regulatory compliance risk to your business.

With fines of up to £10,000,000 or 2% of total revenue (whichever is greater) non-compliance represents a significant financial risk to your business, and should not be ignored.

To summarise:

If your business is outside the United Kingdom and you offer goods or services to UK residents, or monitor UK residents behaviour (e.g. web analytics) then you more than likely are required to appoint a UK representative. This representative must be in the UK. And if you choose not to appoint a representative, you may be exposing your business to significant regulatory risk.

Are there any exemptions?

Yes, there is one exemption. Article 27 (2) states:

"The obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body."

If your organisation can demonstrate the processing of personal data is "occasional" and unlikely to result in a risk to the rights and freedoms of natural persons, then it is doubtful you are required to appoint a representative.

If you determine your processing is "occasional", you should document your decision and be prepared to prove that position. If you are unsure in any way, it may be worth considering the cost and risk of this position in comparison to the cost of appointing a representative.

Is this the same as a Data Protection Officer?

No, the role of a data representative is not the same as a Data Protection Officer (DPO) and comes with a separate set of responsibilities.

A DPO is an integral part of your organisations UK GDPR compliance program, with responsibilities to independently oversee data protection strategies, educate staff and assess and ensure UK GDPR compliance. Whereas, the representatives' primary purpose is to act on behalf of the data controller or processor to facilitate communication with UK data subjects on all issues relating to your personal data processing activities, as well as communication from supervisory authorities.

In November 2019 the European Data Protection Board (EDPB) published guidelines stating they do not consider the function of representative compatible with the role of an external DPO:

"Such requirement for a sufficient degree of autonomy and independence of a data protection officer does not appear to be compatible with the function of representative in the Union. The representative is indeed subject to a mandate by a controller or processor and will be acting on its behalf and therefore under its direct instruction. The representative is mandated by the controller or processor it represents, and therefore acting on its behalf in exercising its task, and such a role cannot be compatible with the carrying out of duties and tasks of the data protection officer in an independent manner."

If you have already engaged an external DPO, you should appoint a different provider to act as your representative.

Benefits of appointing Juksta as your UK representative

Article 27 GDPR Compliance

Appointing a UK representative ensures compliance with Article 27 of UK GDPR and eliminates the risk of a significant regulatory fine for not having a representative.

Customer Confidence

Demonstrate to customers your commitment to their rights to be informed about the collection and use of their personal data.

Article 30 UK GDPR Compliance

Personal data processing activities, related to data subject access requests made via our system, are recorded to be compliant to Article 30 (1) & (2).

Simple Registration

Just register with our service online to appoint us as your GDPR representative in the UK. Takes less than 5 minutes.

No Lock-in contracts

Services are provided month-to-month, with no long term subscriptions. You can exit at anytime, with no additional fees or charges.

Free trial, low monthly fees

Try the service free for 30 days with no obligation to proceed and no requirement to provide your credit card. If you continue fees start from only €19 a month.

Let's make you compliant

It is relatively easy to comply with UK GDPR representative requirements. By appointing and maintaining a UK representative you will be compliant.

We are happy to act on your behalf, as your GDPR representative. Our monthly, flat-fee price is based on the size of your business.

Select your business size to appoint us as your GDPR representative in the UK today.