The Brexit transition agreement, which governs the relationship between the European Union and the United Kingdom in 2020, including arrangements relating to data protection, ends on December 31, 2020.
The European Union and the United Kingdom are still in intensive negotiations over how they will shape future trade relations, and it is so far unclear whether they will arrive at a follow-up agreement. For data protection, this also means that as things stand on December 15, 2020 it must be assumed that the United Kingdom will be viewed by the European Union as a third country without an adequate level of data protection, so that controllers that transfer personal data to the European Union would have to comply with corresponding provisions under Article 44 et seq. GDPR. That much is clear.
One aspect that has frequently gone unnoticed until now when it comes to international data transfer to the United Kingdom is that European organizations that do business with the United Kingdom also need a so-called "UK Representative" in some circumstances. This is required when organizations from the European Union
and are not established within the United Kingdom. In short, the duty to appoint a UK Representative arises whenever organizations offer services in the United Kingdom without having a subsidiary or other establishments there.
The reason for this obligation is that the United Kingdom developed its national data protection law along almost identical lines to the GDPR. The GDPR also knows the instrument of the European representative in Article 27 GDPR. This states that all organizations that are not established within the European Union must appoint a European representative if they offer services to the EU from outside of the European Union or monitor the behavior of EU citizens digitally. In this respect, the requirement for a UK Representative is formed along the same lines.
It should be noted that the duty to appoint a UK Representative arises regardless of whether the European Union and the United Kingdom arrive at a trade deal.
Organizations must act quickly and have appointed a UK Representative as of January 1, 2021 if they offer goods or services to residents of the United Kingdom without being established there. Otherwise they run the risk of being fined by the Information Commissioner’s Office, which is responsible for compliance with data protection in the United Kingdom.
There are various providers in the United Kingdom who offer relevant service. Please contact us if you need a referral to such a service provider.