European Data Flows: Does your business need a European Representative after Exit from the European Union?

As Brexit continues to frustrate us all, and its implications remain an uncertainty for many businesses, the ICO have issued guidance to help prepare businesses for life post-Brexit.

Following our departure from the EU, the UK will become a “third country” for the purposes of the GDPR unless we are given “adequacy” status by the EU. This will only happen if the EU are content that the UK’s data protection legislation reaches the standard set by EU Regulations. Whilst it may seem obvious to many that this has already been achieved by our adoption of the GDPR and ratification of the Data Protection Act 2018, we must still achieve adequacy and this is something we don’t presently have.

This means that businesses which offer goods or services to, or which monitor the behaviour of, individuals in the EEA, despite not having a branch or office in that county, are still required to comply with the EU GDPR. To do this, these businesses will be required to appoint a European Representative.

This representative will work on behalf of your business and may be either an individual or organisation. As per guidance from the European Data Protection Board (Guidelines 03/2018), this representative should be located in the EEA at the place where most of your data subjects are resident. However, if there is an even spread of individuals located across several countries, the representative should still be easily accessible to them.

You must make the appointment of your representative in writing, setting out the terms of your relationship. In practice, this can take the form of a service contract with the individual or organisation. Within this appointment, the representative must be authorised in writing to act on your behalf regarding compliance with the GDPR as they may be required to deal with any supervisory authorities or data subjects in this position.

When processing personal data, you should give details of you representative to the individual to which the data relates. This can be done by including their details in the upfront information you give to the individual or by including them in a privacy policy. You should also include the representative’s name on your website, or another easily accessible place, for any supervisory authorities.

There are a limited number of exceptions to this, including where the data you are processing is occasional and low risk to the individuals, but it would be better to seek advice on these exceptions before processing the data to ensure that all regulations are being complied with.

If you think that this will affect your business or organisation, please don’t hesitate to contact me, Louise Weatherhead at or by telephone on 0191 2263699 for further information.

Contact Us

    You can always change your mind by unsubscribing here.

    We will only use your information to handle your enquiry and won’t share it with any third parties without your permission.