UK Representative

UK Representative FAQs

UK, Brexit and GDPR

What happens to GDPR 1st January 2021?

From 1st January 2021, the United Kingdom will no longer be part of the EU. Until now, if you have conducted business in the UK, you have done so under EU regulations, including the General Data Protection Regulation 2016/679 (EU GDPR). From 1st January the EU GDPR will no longer apply within the UK.

Will GDPR still apply in the UK?

Yes, but through a different statutory instrument. The UK Data Protection Act 2018 (DPA 2018) enacts the European Union GDPR requirements into UK law. In February 2019, the UK passed the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

This instrument amends DPA 2018 and merges the requirements of EU GDPR and provides the UK with a data protection framework suitable for the United Kingdom post-Brexit. This framework will be known as the "UK GDPR".

From 1st January there will be two distinct GDPR regimes, "EU GDPR" and "UK GDPR".

Will my EU Representative continue to represent me in the UK?

No, from 1st January 2021, your EU GDPR Representative will no longer represent you in the UK. If UK GDPR requires you to appoint a UK Representative under Article 27, you will need to make that appointment in addition to your EU Representative.

Is a UK GDPR Representative the same as a EU Representative?

No, they are performing different and distinct services on your behalf. The EU Representative will only represent you in the EU, and the UK Representative will only represent you in the UK.

Can my EU GDPR Representative also be my UK Representative?

Yes, as long as they meet the requirements of EU GDPR and UK GDPR. Both regulations require Representatives to be located in an appropriate jurisdiction. We provide both EU and UK Representative services.

Do I need a UK GDPR Representative Service?

UK GDPR will require you to appoint a UK Representative If you meet the conditions described in Article 27. Appointment of a UK Representative may be separate and in addition to your obligations to nominate an EU Representative, under EU GDPR Article 27.

How do I know whether I need an EU Representative or a UK Representative?

The EU GDPR and the UK GDPR both place obligations on you to appoint a Representative under the specific Article 27 of each regulation. The EU GDPR applies to your business operations within EU member states, whereas the UK GDPR applies to your business operations within the United Kingdom.

You should assess your obligations for each regulation separately, based on your status and business operations within each of the jurisdictions. You may only be required to appoint a representative for one of the GDPR regimes, or you may be required to appoint a Representative under both.

Can you be my UK Representative?

Yes, we provide both UK Representative and EU Representative services. Upon completion of registration to our UK Representative service your UK Representative will be Juksta UK GDPR Representative Limited, a UK based company.

Juksta UK GDPR Representative Limited is part of the Juksta group of companies, with a presence in the United Kingdom, Ireland and Australia.

How do I appoint you as my UK Representative?

Simply select a plan and register an account. You appoint us as your UK Representative as part of the sign up process.

UK GDPR Representative Service

Do I need a UK Representative for GDPR?

Under Article 27 of the UK GDPR, your business must appoint a “Representative” in the United Kingdom if:

  1. it does not have a presence (e.g. an office) in the United Kingdom; And either
  2. it is offering goods or services (whether free or for payment) to individuals in the UK; or
  3. it is monitoring behaviour of individuals whilst in the UK (e.g. your business is using an analytics program on its website to track usage by IP address),
unless an exception applies.

Are there any exemptions?

Yes, a Public body does not need to appoint a GDPR Representative. Also, according to Article 27, a controller or processor does not need to appoint a “representative” if:

  • the processing it carries out is unlikely to result in a risk to the rights and freedoms of UK data subjects; or
  • the processing is occasional;

Suppose you determine Article 27 does not require you to appoint a Representative. In that case, you must document this fact and the reasons you made this decision to comply with the record-keeping obligations under Article 30.

Note: “Occasional” is not defined in UK GDPR, but repetitive processing, such as payroll, is unlikely to be "occasional" and businesses running website analytics on persons in the UK is highly unlikely to be "occasional".

If my company is part of a group of companies do I need to appoint a separate Representative for each entity?

Yes. Each separate legal entity in the group of companies must separately appoint a UK GDPR Representative. Each entity can appoint Juksta separately. If you have a large group of companies, please contact us for special rates for group companies.

What are the UK Representative responsibilities?

By you appointing Juksta as your Representative we are required to enable your customers/data subjects and relevant supervisory authorities to communicate with you via us. We encourage communication via our Representative Portal for all online communications.

Your customers/data subjects, the UK Information Commissioner and others can send post or fax communications to our office in the United Kingdom, and we will scan them and make them available within your Representative Portal.

You must make our representative service available, but it is not against the law for your customers/data subjects, the UK Information Commissioner and others to contact you directly, or for you to respond to them directly. The Representative must also co-operate with the Information Commissioner.

Can my DPO be my UK Representative?

No. The roles and functions of a DPO and a Representative are different. The European Data Protection Board (EDPB) has expressly stated that it considers the role of a Representative to be incompatible with that of the DPO. DPO’s are required to exercise their duties and tasks in an "independent manner", whereas a representative must act only in accordance with the written instruction of the company. The EDPB also considers the two roles to have potential conflicts of interest.

What are the penalities of non-compliance?

Under Article 3 of the UK GDPR, Territorial scope of the legislation includes processing of personal data of UK data subjects by organisations who reside outside the UK. Penalties for not complying with the requirement to appoint a UK representative can be up to 2% of annual worldwide revenue or €10,000,000, whichever is the greater.

The United Kingdom Information Commissioner may enforce penalties. You may also be liable for civil claims arising from your breaches of UK GDPR.

How does the request process work?

How do data subjects contact me online?

Web-based requests can be made by your clients, data subjects or the UK Information Commissioner via your unique Customer Care portal. We provide you with a URL and HTML code, which you can add to your contact information. The system will automatically queue any notifications received via the portal and notify you via email or SMS.

Can I receive requests by mail or fax?

Yes, requests made by post or fax to your GDPR Representative address in the UK are scanned and added to your Notification Management Portal. We notify you of these requests via email or SMS.

How do I respond to requests?

You manage your requests via your Notification Management Portal. From here, you can review requests and action them to provide information to the data subject or Information Commissioner.

While there is no requirement to respond to requests within the portal we strongly recommend it, as it ensures you have a record of your response and enables you to meet your Article 30 record-keeping obligations.

Do you help me with my response to a request?

No, as your Representative, we facilitate the request process and enable you to respond in a manner that meets your record-keeping requirements. You are solely responsible for dealing with the request, including identifying the requestor and providing any response or information. If you are unfamiliar with your obligations or unsure of your abilities to handle UK GDPR related requests, you should consider engaging appropriate professional support.

Does this mean you are a data processor?

Yes. Under UK GDPR the Representative acts only under the directions of its customer. Therefore, Juksta is the data processor, and its customer is the data controller for Representative related processing.

Do I need a processing agreement with you?

Yes, because we are processing data for you, you need a data processing agreement as one of your UK GDPR obligations. A data processing agreement is entered into as part of the terms and conditions when you sign up. There are no additional actions you need to take.