The EDPB has published guidelines on the territorial scope of the GDPR and appointing a representative (Guideline 3/2018). Even though these guidelines will not be directly relevant to the UK law anymore, the ICO stated that they still provide helpful guidance when dealing with specific issues. Hence, when determining the territorial scope of the GDPR the EDPB guidelines can help, as long as the UK government does not adopt new regulations concerning this topic. According to these guidelines, different factors are considered when determining if a company is offering their goods or services to individuals in the EU. Some factors to be considered, adjusted to a UK-only application, would be:

• using language that is used in the UK and offering the UK currency GBP;
• using ads to address UK individuals or other marketing tools directed towards UK customers;
• mentioning addresses or phone numbers to be reached from the UK;
• use of UK top-level domains;
• offering delivery of goods to the UK.

Again, the guidelines of the EDPB can help to assess whether a company is monitoring the behaviour of UK individuals, as long as the UK government does not adopt new regulations (Guidelines 03/2018). According to the EDPB guidelines, monitoring can take place both on the internet and through wearables and other smart devices. Some examples of monitoring activities would be:

• behavioural advertisement
• geo-localisation activities
• online tracking by using cookies or other tracking technologies
• market surveys and other behavioural studies based on individual profiles
• CCTV

If your company is obligated to appoint a representative but fails to do so, fines of up to GBP 8.7 million or 2% of your annual global turnover (whichever is higher) can be issued.

Since your UK privacy representative should be able to represent you regarding your legal obligations under the UK GDPR, make sure the representative is not just a postbox but a well trained privacy professional located in the UK. The representative should be appointed in writing and will act on your behalf regarding your compliance with UK GDPR, as well as functioning as a local contact point for UK data subjects and the UK supervisory authority, ICO.

How does Prighter match these requirements?

• The UK privacy representation is provided by Prighter Ltd, a UK company which is part of Prighter Group powered by Maetzler Rechtsanwalts GmbH & Co KG;
• With Prighter Ltd, trained lawyers and privacy professionals are available to support you in all UK related privacy matters and even beyond; and
• A writen appointment is part of the onboarding flow. Clients can sign a Power of Attorney directly online in an end-to-end digital process.

  Resources: ICO FAQs UK representatives,

Our goal is to enable companies without a subsidiary, branch or other establishment in the UK to comply with the UK privacy framework through a combination of legal expertise and technology to deliver this expertise. We put the practical insights we gain as a law firm (due to our role as the appointed Data Protection Officer (DPO) for major banks, financial service providers, tech companies,...) into the development of our tools for handling Data Subject Requests (DSR) and data breaches, and for the management of records of processing activities. We support you in all privacy related matters, but above all we help your business to grow by enabling you to improve customer trust by handling privacy matters in an efficient and professional way.

The core of our service is representation according to Art 27 UK-GDPR. Around this core we have built features, services, and tools which enable you to leverage your compliance in order to increase efficiency and gain trust with your customers and partners. For more information on the services offered visit “UK-Rep Services”:

• UK Representation:

  By subscribing to the UK Privacy Representation Program, you appoint us as your certified UK Privacy Representative. Our highly professional team of lawyers and privacy professionals will give you the support you need to deal with requests from data subjects and data protection supervisory authorities.

• Gain Trust:

  We provide you with a Compliance Landing Page for you to brand and to include privacy and security related certificates as well as your privacy and cookie policies. This is your window into the world of privacy-related matters which helps you to increase customer trust and confidence by demonstrating your privacy regulations readiness. The Compliance Landing Page also serves as an access point for privacy related requests which you can then easily manage with your GDPR Privacy Software Tools.

• Privacy Software Tools:

  For any data subject requests (DSRs) from existing or potential clients we have built a tool to manage the lifecycle of such privacy requests. This saves you time, internal resources, and money, and reduces your compliance risk substantially. Furthermore, all standard requests from the ICO are covered (e.g. requests to submit records of processing activities).

Companies which are established outside the UK and the EU/EEA and neither have an establishment within the UK nor the EU/EEA but are

• offering goods or services to individuals in the UK and the EU/EEA; or

• monitoring the behavior of individuals in the UK and the EU/EEA.

will have to appoint two representatives, in both the EU and the UK, in order to comply with EU regulations on one hand, and UK regulations on the other.

Since Prighter has offices in the EU as well as in the UK, we are able to offer you EU representation as well as UK representation.

The onboarding process is simple and can be completed in a couple of minutes, but the best part is: We grant your company a free 14 day trial to make the appointment completely risk-free.

1. Choose a plan. The available plans depend on your company's size. The size of the company is defined according to the Eurostat categories and therefore by the number of persons employed. "Employees" includes part-time workers and freelancers. 

2. Enter your company's details. Your risk-free 14 day trial period starts when you complete this step.

3. After registering, you will find a download button for the Power of Attorney (PoA). A signed PoA is required as evidence of the appointment of Prighter as your representative in case of requests by supervisory authorities. We kindly ask you to sign and upload your PoA.

4. Our team will check and verify the provided information on your company and the PoA. This is usually done within a couple of hours.

5. After the PoA has been approved, your company has successfully appointed Prighter as it's UK privacy representative. You can log in to your client area where you can find templates and information on what you can include in your homepage and privacy policy.

Contrary to the appointment of a DPO, you don't need to notify the ICO of the representation. In the event that the ICO has an inquiry about a company, they take the necessary information from the company's privacy policy.

Please note that contrary to UK privacy representation, a NIS representation needs to be notified to the ICO.

Every separate entity requires representation according to Art 27 UK GDPR. Nevertheless, Prighter offers your group the option to sign up for a group package to manage the representation of your affiliates through one main account, with sub-accounts for every affiliate. You will be required to internally select a centralised point of data protection management for the group to handle both the main account and the sub-accounts with one centralised login. The number of affiliates covered depends on the package you signed up for. The "small enterprise" package includes one affiliate, the "medium enterprise" package includes up to 5 affiliates, and the "large enterprise' package includes an unlimited number of affiliates. All included group entities must operate in the same industry, offer the same range of products, and have the same or a linked brand.

Subscription pricing is based on your company size according to official Eurostat categories and the number of entities to be covered, starting from €19 per month. We offer a 14-day trial period on all subscriptions so that you can get to know our service without any risk. All of our pricing is transparent and there are no hidden costs as we do not charge per request from data subjects. You can choose between monthly, quarterly, or yearly payments. Your company gets a discount for quarterly payments and an even higher discount for the yearly payments option.

Furthermore, you can choose between paying with credit card,  or via bank transfer. We accept almost all credit cards. Bank transfers are acceptable in EUR, USD and GBP for annual payments. Please contact our support team should you have any further questions!