Do I need to appoint an Article 27 GDPR UK representative?

The UK's data protection regulations (UK GDPR) can apply to businesses based outside the UK. Don't risk significant fines (up to €10,000,000 or 2% of your total worldwide revenue, whichever is greater) through non compliance.

This simple self-assessment will help determine if you should appoint a GDPR UK representative.

Article 27 GDPR Self Assessment

GDPR UK representative Self Assessment

This simple 2 minute self-assessment will help determine if Article 27 of UK GDPR applies to your business. It has been written with as little "legal-ese" as possible, to help make it easier. However, as with most regulations UK GDPR can be quite complex to interpret. Be sure to seek local legal advice if you are unsure.

START SELF ASSESSMENT

GDPR UK representative Self Assessment

Is your organisation a business?

It does not matter how big or small your business is, or how many employees it has. UK GDPR applies to businesses, and not to individuals acting in their personal capacity.

If your organisation is a “Public Authority” you do not need to appoint a UK GDPR representative.

Is your business “established” in the United Kingdom?

Does your business entity (and not a group company or any affiliate company) have a physical office or employees in the UK or has it appointed sales agents who are in the UK?

The issue of being “established” is determined on a case by case basis, depending on the facts.

Does your business process personal data of any individuals in the UK?

“process” includes using, transferring, modifying, holding, storing, archiving and backing up.

“personal data” includes any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly (i.e. when matched with other data that is currently available or may be available in the future), in particular by reference to an identifier such as a name, email address, an identification number, location data, an online identifier (e.g. IP address, geo locator, pixels that collect IP addresses) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data can be held electronically or in a structured (i.e. not randomly) organised manual filing system.

Does your business “offer” goods or services (including where no charge is made) to individuals in the UK?

“Offer” includes using a website to offer your goods or service provided that your website is targeting the UK (i.e. the website has pound denominated pricing, or the website text can display in the English language, or the website has testimonials from UK individuals.)

“Offer” does not include having a website which simply has your products and services advertised, but without “targeting” UK individuals.

Does your business monitor the behaviour of individuals who are in the UK?

An example of “monitoring behaviour” would include:

  • where your business monitors the location of its employees or contractors in the UK (e.g. your employees have computers/phones and those computers/phones IP addresses are geo tracked for security reasons or other reasons);
  • behaviour based marketing;
  • market surveys and other behaviorally studies;
  • personalized diet or health studies;
  • monitoring or reporting on an individual’s health status.

Also you need to consider how your website operates. UK GDPR defines personal data very broadly and includes IP addresses, geo location data and similar data which is used by many websites, and especially website analytics tools to identify where devices that are using your website are located.

It does not matter whether the individual whose behaviour your business is monitoring are of UK citizenship or are living in the UK, the test is whether the individual is in the UK at the time of the monitoring.

Does your business processes personal data about UK individuals only “occasionally”, and not more frequently than that?

“Occasionally” means one-off, infrequent and not repetitive. So, for example, if your business is processing payroll data of UK individuals, or you are tracking the location and usage of users to your website through a website analytics program, or you actively receive orders for goods or services this would not be “occasional” use, and you should answer "No" to this Question.

Does your business do any large scale processing of special category data or criminal offence data, even occasionally?

“large scale” would include using website analytic with geo tracking of IP addresses for substantial numbers of people, or for example, CCTV coverage of public places.

“special category data” is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Is your business's processing of personal data of UK individuals likely to result in a risk of loss of privacy rights and freedoms to those individuals?

Even if your business only processes the personal data occasionally and even if it is not large scale processing of special category data or criminal offence data you should answer "Yes" if there's a likelihood of a risk of loss of privacy rights or freedoms.

Article 27 UK GDPR Self Assessment

Your business does not require a UK GDPR representative

Based on the answers you provided your business is not required to appoint a UK representative as described under Article 27 of UK GDPR.

RESTART ASSESSMENT
Article 27 UK GDPR Self Assessment

Your business should appoint an Article 27 UK GDPR representative

Based on the answers you provided, the requirement under Article 27 of UK GDPR to appoint a UK representative applies to your business.

Non-compliance with Article 27 can result in a fine of up to €10,000,000 or 2% of your total worldwide revenue (whichever is greater).

Let us help

Compliance to Article 27 is relatively simple. All that is required is for you to appoint and maintain a UK GDPR representative.

Select the size of your business in the form below to appoint Juksta as your Article 27 UK GDPR representative today, and we will walk you through the process simply and easily. Prices start from only €19/per month, after a 30-day free trial.

RESTART ASSESSMENT

Let's make you compliant

It is relatively easy to comply with UK GDPR representative requirements. By appointing and maintaining a UK representative you will be compliant.

We are happy to act on your behalf, as your GDPR representative. Our monthly, flat-fee price is based on the size of your business.

Select your business size to appoint us as your GDPR representative in the UK today.

Cookies

We use cookies to ensure that we give you the best experience on our website, to personalise our content and ads, analyse our site traffic and provide social media features. You consent to our cookies if you continue to use our website.
Essential
Analytics
Marketing

Essential cookies assist in making our website usable by providing functions such as navigation or access to secure areas of the site. They also may be used to help comply with legal requirements, such as GDPR. This website cannot function correctly without these cookies.

Name Provider Purpose Expiry Type
XSRF-TOKEN juksta.eu Helps prevent Cross-Site Request Forgery (CSRF) attacks. Session HTTP Cookie
juksta_session juksta.eu Preserves users states across page requests. Session HTTP Cookie
juksta_represent_session juksta.eu Preserves users states across page requests. Session HTTP Cookie
init_cookie_consent juksta.eu Helps manage cookie types preferences. 7300 days HTTP Cookie
cookie_consent juksta.eu Keep user selected cookie types. 7300 days HTTP Cookie
_ga Google Analytics Registers a Unique Identifer, used to generate statistical data on how the visitor uses the website for Google Analytics. 2 years HTTP Cookie
_gid Google Analytics Registers a Unique Identifer, used to generate statistical data on how the visitor uses the website for Google Analytics. 1 day HTTP Cookie
_gat_* Google Analytics Used by Google Analytics to throttle request rates, which means that it limits the collection of data on high traffic sites. 1 day HTTP Cookie

Analytic cookies help owners understand how visitors interact with their sites by collecting and reporting information.

Marketing cookies are used by 3rd parties to track users across websites with the intent to display advertising targeted to the individual user. There are no marketing cookies used by this website.