UK-Representative Data Protection
Until now, only businesses based outside the EU were required to install a so-called EU Representative as a contact person for data protection issues under art. 27 GDPR.
With the UK's withdrawal from the EU as of 01.01.2021, the UK is now also a “third country” from the GDPR’s point of view and businesses based in the UK that process personal data of EU residents must now appoint an EU Representative.
But the effects of Brexit go far beyond this: The UK will essentially retain the GDPR as a national law. This means that British data protection law (article 27 UK representative) requires a representative in the United Kingdom in the same way as art. 27 GDPR does – with the difference that the UK data representative must be established within the United Kingdom. The UK’s data protection authority, the ICO, has clarified this recently.
This means that all businesses based outside the UK (including EU companies!) must appoint a UK Representative (uk data protection representative) established within the UK if they continue to provide services in the UK and thereby process personal data of UK residents.
In addition to the “UK Representative”, UK data protection law also requires the appointment of a data protection officer. However, this person does not need to be based in the UK, but can also be based in the EU – provided he or she has the necessary expertise in UK data protection law.
