Frequently Asked Questions on Prighter UK-Rep
Does our company need an Art 27 UK GDPR representative in the UK?
Since GDPR is an EU regulation, it will generally no longer be applicable in the UK after Brexit. However, the UK government has incorporated GDPR into UK data protection law. So, from January 1st 2021 onwards, the UK version of GDPR, the “UK GDPR”, will be effective and companies will have to comply with it.
Most requirements remain the same as in the EU GDPR, so companies that are already compliant with the EU GDPR will not have to make major amendments to comply with the UK GDPR. However, doing transborder business might lead to additional requirements such as appointing a UK representative or ensuring compliance regarding international data transfers to and from the UK.
The UK government have stated that from January 1st 2021 onwards, companies who are located outside of the UK, whether in the EU or in a third country, and have no offices, branches, or other establishments in the UK, will have to appoint a UK representative, if they are processing personal data of individuals in the UK that relates to either:
-
offering goods or services to individuals in the UK; or
-
monitoring the behaviour of individuals in the UK.
Resources: ICO FAQs UK representatives,
The EDPB has published guidelines on the territorial scope of the GDPR and appointing a representative (Guideline 3/2018). Even though these guidelines will not be directly relevant to the UK law anymore, the ICO stated that they still provide helpful guidance when dealing with specific issues. Hence, when determining the territorial scope of the GDPR the EDPB guidelines can help, as long as the UK government does not adopt new regulations concerning this topic. According to these guidelines, different factors are considered when determining if a company is offering their goods or services to individuals in the EU. Some factors to be considered, adjusted to a UK-only application, would be:
- using language that is used in the UK and offering the UK currency GBP;
- using ads to address UK individuals or other marketing tools directed towards UK customers;
- mentioning addresses or phone numbers to be reached from the UK;
- use of UK top-level domains;
- offering delivery of goods to the UK.
Again, the guidelines of the EDPB can help to assess whether a company is monitoring the behaviour of UK individuals, as long as the UK government does not adopt new regulations (Guideline 3/2018). According to the EDPB guidelines, monitoring can take place both on the internet and through wearables and other smart devices. Some examples of monitoring activities would be:
- behavioural advertisement
- geo-localisation activities
- online tracking by using cookies or other tracking technologies
- market surveys and other behavioural studies based on individual profiles
- CCTV
If you are a public authority, there is no need for you to appoint a representative. Also, if your company fulfills all of the following criteria, there is no obligation to appoint a UK representative:
- You are processing personal data only on an occasional basis; and
- the data processing is of low risk to the data protection rights of the data subjects; and
- there is no great extent of processing special categories of data or data concerning criminal offences.
Generally speaking, it is very hard for companies to fulfill all criteria mentioned above which is why they are hardly ever able to take advantage of this exemption.
Resources: ICO FAQs UK representatives,
What should I look for in a UK privacy representative? And what is Prighter’s approach?
What are the requirements of a UK privacy representative and how does Prighter meet these requirements?
Since your UK privacy representative should be able to represent you regarding your legal obligations under the UK GDPR, make sure the representative is not just a postbox but a well trained privacy professional located in the UK. The representative should be appointed in writing and will act on your behalf regarding your compliance with UK GDPR, as well as functioning as a local contact point for UK data subjects and the UK supervisory authority, ICO.
How does Prighter match these requirements?
- The UK privacy representation is provided by Prighter Ltd, a UK company which is part of Prighter Group powered by Maetzler Rechtsanwalts GmbH & Co KG;
- With Prighter Ltd, trained lawyers and privacy professionals are available to support you in all UK related privacy matters and even beyond; and
- A writen appointment is part of the onboarding flow. Clients can sign a Power of Attorney directly online in an end-to-end digital process.
Resources: ICO FAQs UK representatives,
Our goal is to enable companies without a subsidiary, branch or other establishment in the UK to comply with the UK privacy framework through a combination of legal expertise and technology to deliver this expertise. We put the practical insights we gain as a law firm (due to our role as the appointed Data Protection Officer (DPO) for major banks, financial service providers, tech companies,...) into the development of our tools for handling Data Subject Requests (DSR) and data breaches, and for the management of records of processing activities. We support you in all privacy related matters, but above all we help your business to grow by enabling you to improve customer trust by handling privacy matters in an efficient and professional way.
The core of our service is representation according to Art 27 UK-GDPR. Around this core we have built features, services, and tools which enable you to leverage your compliance in order to increase efficiency and gain trust with your customers and partners. For more information on the services offered visit “UK-Rep Services”:
-
UK Representation:
By subscribing to the UK Privacy Representation Program, you appoint us as your certified UK Privacy Representative. Our highly professional team of lawyers and privacy professionals will give you the support you need to deal with requests from data subjects and data protection supervisory authorities.
-
Gain Trust:
We provide you with a Compliance Landing Page for you to brand and to include privacy and security related certificates as well as your privacy and cookie policies. This is your window to the world of privacy-related matters which helps you to increase customer trust and confidence by demonstrating your privacy regulations readiness. The Compliance Landing Page also serves as an access point for privacy related requests which you can then easily manage with your GDPR Privacy Software Tools.
-
Privacy Software Tools:
For any data subject requests (DSRs) from existing or potential clients we have built a tool to manage the lifecycle of such privacy requests. This saves you time, internal resources, and money, and reduces your compliance risk substantially. Furthermore, all standard requests from the ICO are covered (e.g. requests to submit records of processing activities).
This is where our innovation comes into play. We built the Data Subject Request (DSR) management tool to channel, structure, and filter all incoming privacy requests from clients and authorities. You can handle requests from millions of data subjects in one tool with the help of our proprietary AI technology. We cover and support all aspects of the formal handling of DSRs including the communication with data subjects. What actually needs to be done in your database (e. g. delete a data subject), is always your own decision. The DSR tool is designed to manage the lifecycle of a data subject request to get all formal aspects right and offer you a framework of advise.
How do the requirements for the different types of representation relate to each other?
Generally, companies which have no offices, branches or other establishments in the EU/EEA need an Art 27 EU GDPR representative if they are:
-
offering goods or services to individuals in the EU/EEA; or
-
monitoring the behaviour of individuals in the EU/EEA.
After Brexit, the UK is no longer a Member State of the EU and consequently an establishment in the UK does not count as an EU/EEA establishment anymore, therefore this general rule will oblige UK companies, who fulfil the above criteria, to appoint an Art 27 GDPR representative. So, if you are an UK company that reaches out to the EU/EEA market without having an establishment within the EU/EEA, you will be required to appoint an Art 27 representative.
Are there any exemptions from this obligation?
If you are a public authority, you do not need to appoint a representative. Also, if you meet all of the following criteria you are exempted from this obligation:
- You are processing personal data only on an occasional basis; and
- the processing is of low risk to the rights of the data subjects; AND
- the processing does not involve large-scale usage of special categories of data or criminal offence data.
For any further questions concerning the appointment of an Art 27 GDPR representative please see our Art 27 EU GDPR FAQ:
Resources: Statement on the end of the Brexit transition period,
Companies which are established outside the UK and the EU/EEA and neither have an establishment within the UK nor the EU/EEA but are
-
offering goods or services to individuals in the EU/EEA; or
-
monitoring the behaviour of individuals in the EU/EEA.
will have to appoint two representatives, in both the EU and the UK, in order to comply with EU regulations on one hand, and UK regulations on the other.
Since Prighter has offices in the EU as well as in the UK, we are able to offer you EU representation as well as UK representation.
How can our company appoint Prighter as our UK privacy representative?
The onboarding process is simple and can be completed in a couple of minutes, but the best part is: We grant your company a risk-free 14 day trial to make the appointment completely risk-free.
-
Choose a plan. The available plans depend on your company's size. The size of the company is defined according to the Eurostat categories and thereforeby the number of persons employed. 'Employees' includes part-timeworkers and freelancers.
-
Enter your company's details. Your risk-free 14 day trial period starts when you complete this step.
-
After registering, you will find a download button for the Power of Attorney (PoA). A signed PoA is required as evidence of the appointment of Prighter as your representative in case of requests by supervisory authorities. We kindly ask you to sign and upload your PoA.
-
Our team will check and verify the provided information on your company and the PoA. This is usually done within a couple of hours.
-
After the PoA has been approved, your company has successfully appointed Prighter as it's UK privacy representative. You can log in to your client area where you can find templates and information on what you can include in your homepage and privacy policy.
Contrary to the appointment of a DPO, you don't need to notify the ICO of the representation. In the event that the ICO has an inquiry about a company, they take the necessary information from the company's privacy policy.
Please note that contrary to UK privacy representation, a NIS representation needs to be notified to the ICO.
Every separate entity requires representation according to Art 27 UK GDPR. Nevertheless, Prighter offers your group the option to sign up for a group package to manage the representation of your affiliates through one main account, with sub-accounts for every affiliate. You will be required to internally select a centralised point of data protection management for the group to handle both the main account and the sub-accounts with one centralised login. The number of affiliates covered depends on the package you signed up for. The "small enterprise" package includes two affiliates, the "medium enterprise" package includes up to 5 affiliates, and the "large enterprise' package includes an unlimited number of affiliates. All included group entities must operate in the same industry, offer the same range of products, and have the same or a linked brand.
Subscription pricing is based on your company size according to official Eurostat categories and the number of entities to be covered, starting from €19 per month. We offer a 14-day trial period on all subscriptions so that you can get to know our service without any risk. All of our pricing is transparent and there are no hidden costs as we do not charge per request from data subjects. You can choose between monthly, quarterly, or yearly payments. Your company gets a discount for quarterly payments and an even higher discount for the yearly payments option.
Furthermore, you can choose between paying with credit card, or via bank transfer. We accept almost all credit cards. Bank transfers are acceptable in EUR, USD and GBP for annual payments. Please contact our support team should you have any further questions!