Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

1. Do we need a European representative?

You may need to appoint an EU representative if you are offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA.

2. Do we need to appoint a UK representative?

If your business is located outside of the UK with no offices, branches or other establishments in the UK, and you are offering goods or services to individuals in the UK or monitoring the behaviour of individuals within the UK, then you need to consider whether you must appoint a UK representative.

3. How do I choose a UK Representative?

If you are based outside of the UK and you do not have a branch, office or other establishment in the UK and you either:

  • offer goods or services to individuals in the UK; or
  • monitor the behaviour of individuals in the UK,

then you will need to comply with the UK GDPR. The UK GDPR will require you to appoint a representative in the UK. 

Your representative may be an individual, or a company or organisation established in the UK, and must be able to represent you regarding your obligations under the UK GDPR (e.g. a law firm, consultancy or private). In practice the easiest way to appoint a representative may be under a simple service contract.

You will need to authorise the representative, in writing, to act on your behalf regarding your UK GDPR compliance, and to communicate with the ICO and with data subjects.

For more information, read our guidance on UK Representatives.

4. Can you clarify the circumstances under which we might need to establish a representative in the EU?

If you are a UK-based controller or processor, with no offices, branches or other establishments in the EEA, but you offer goods or services to people in the EEA or monitor the behaviour of people in the EEA after the end of the bridge period, you need to appoint an EU representative.

However, you don’t need an EU representative if you are a public authority, or if your processing is infrequent, of low risk to the data protection rights of people, and does not involve the large-scale use of special category or criminal offence data.

You can read more on European Representatives on our website.

5. We are an international company with offices and employees based in the US, UK, France, the Netherlands and Germany. Our DPO is UK-based. Do we also need to appoint an EU representative?

No. If you already have EU or EEA offices or branches, you don’t need to appoint an EU representative.

If you are currently required to have a data protection officer (DPO) under the GDPR, you’re still required to have one after the end of the bridge period, under either regime. You may continue to have a DPO who covers both territories, providing they are easily accessible from each establishment in the EEA and UK.

6. As the UK does not have to comply with EU GDPR, why is it necessary to appoint a representative into EEA countries where a UK business is offering services or products?

Although the EU GDPR will not apply in the UK, EU law still applies to activities in the EEA. If you are UK-based, do not have a branch, office or other establishment in any other EU or EEA state, but you either:

  • offer goods or services to people in the EEA; or
  • monitor the behaviour of people in the EEA,

then you still need to comply with the EU GDPR regarding this processing, even after the end of the bridge period.

The EU GDPR requires that organisations which meet this criteria appoint an EU representative unless they meet the exemptions.

7. Will we need an EU representative if the UK gets an adequacy decision?

Yes. If you meet the necessary criteria, you should take steps to appoint an appropriate EU representative. Any UK adequacy decision does not affect this.

8. Are organisations with low employee numbers or low turnover exempt from the EU representative requirements?

No, even small businesses need a representative if they are targeting people in the EEA. There is an exemption for public authorities and there is a limited exemption for infrequent low-risk processing, but there are no exemptions based on employee numbers or turnover.

Please see our guidance on exemptions for further detail.

9. Can an employee be an EU representative?

A controller or processor only needs to appoint a representative if they are not established in the EU, but they are targeting or monitoring people in the EU.

If the EU representative for the overseas company is an employee of that company, it may mean that the overseas controller has “an establishment in the EU”.

The EDPB has published guidance on what counts as an establishment in the EU for the purposes of the EU data protection regime. It says a controller or processor has “an establishment in the EU” if it is able to carry out real and effective activity in the EU, exercised through stable arrangements. The threshold for ‘stable arrangements’ can be quite low and, in some circumstances, a single employee from the overseas company in the EU may be enough to count as ‘stable arrangements’, that result in the overseas controller (or processor) having an establishment in the EU.

If the controller or processor has an establishment in the EU, they don’t have to appoint an EU representative,  as the supervisory authority can communicate with the overseas controller or processor via its EU establishment. Therefore, while it may be possible for the EU representative to be an employee of the overseas controller or processor, this may impact the way in which their processing falls within the scope of the GDPR.

For further guidance, please see the EDPB guidelines on the Territorial Scope for the GDPR.

10. Who can be an EU representative for a controller or processor, and how do we appoint them?

Your representative may be a person or a company or organisation established in the EEA. They must be able to represent you regarding your obligations under the EU GDPR (eg a law firm, consultancy or private company). In practice, the easiest way to appoint a representative may be under a simple service contract.

You should give details of your representative to anyone based in the EEA whose personal data you are processing. This may be done by including them in your privacy notice or in the information you supply when you collect their data. You must also make the details easily accessible to supervisory authorities – for example, by publishing them on your website.

Your appointment of your representative must be in writing and should set out the terms of your relationship with them. Having a representative does not affect your own responsibility or liability under the EU GDPR.

You can find more guidance on European representatives on our website.

11. If we have a business which provides services across multiple EEA states and there’s not one specific country where the majority of customers are located, where should we appoint the EU representative?

You should ensure that the representative is set up in an EU or EEA state which has some of your customers. It is practical for this to be where the majority of your customers are located, as this can help to facilitate your relationship with them. However, if your customers are spread relatively evenly across multiple EU or EEA states, then you should appoint your EU representative in one of these states.

12. When are organisations exempt from needing an EU representative? Does this include public authorities?

Yes, public authorities are exempt. Organisations are also exempt from the EU representative requirement if their processing is infrequent, of low risk to the data protection rights of people, and does not involve the large-scale use of special category or criminal offence data.

13. As part of the EU representative exemption, can you define "occasional or of low risk" please?

We’d recommend that organisations take a cautious approach and only rely on the exemption if they are very confident that the processing is not part of their normal activities and has no impact on the people concerned.

14. If the services are to be provided in the UK, but are bought via distance selling in the EEA, or by an EEA citizen visiting the UK, would an EU representative be required?

Not necessarily. You only need an EU representative if you are actively targeting people who are inside the EEA. You won’t require a representative just because your website is accessible in the EEA and you happen to have some customers in the EEA. But you do need a representative if you intentionally target them. For example, if you:

  • run a European marketing campaign;
  • have a website with a local European domain name (such as ‘.eu’, ‘.fr’, ‘.de’);
  • pay search engines to direct traffic from the EEA to your website;
  • list prices in Euros;
  • use European customer testimonials;
  • have specific delivery arrangements for EEA customers; or
  • have specific contact details for EEA customers.

The EU rules only apply if the person is located in the EEA. It’s their location that matters, not their citizenship. So, if you only provide services to people who are physically in the UK, you won’t need a representative just because those people are EEA citizens.

15. If you're marketing or selling services to businesses in the EEA, rather than people, but it involves processing personal data, do you need an EEA representative? Is the position different if your website allows people to purchase products directly too?

If an organisation not established in the EEA is processing personal data, for example the details of business contacts, in connection with the offering of goods or services to businesses in the EEA rather than to people, then this processing does not fall within the scope of the GDPR under Art.3(2). As a result, the organisation doesn’t need to appoint an EU representative.

If a controller is not established within the EU and their website allows both people and businesses based in the EU to purchase their products directly, they need to consider a number of things.

Firstly, the controller needs to consider whether they are processing the personal data of those people in the EU in connection with “offering goods or services”?

Secondly, is the controller intentionally offering goods or services to people based in the EU? This won’t automatically apply just because people in the EU can access their website. But you may need a representative if the website contains anything that suggests you’re intentionally targeting people, rather than businesses.

For further reading see our guidance on distance selling.