22 Feb 27 Oct Data Protection in the post-Brexit : a step towards duplication of the DPO and Legal Representative roles
After the 31th December 2020 the European law will have no more effect on the British legislation. As far as Data Protection is concerned many aspects are still unclear. Amongst these, the potential obligation of British Data Controllers to appoint a second data protection officer and a second legal representative located in one of the EU Member States.
An evolving situation
December 31st 2020 is the deadline for the transition period as defined in the withdrawal agreement and the clock has started ticking.
Although the European law will no longer impact the British legislation, the GDPR still applies to British businesses that fall under its scope. British companies that offer goods or services to data subjects located in the EU or if they monitor the behavior of data subjects located in the EU have to comply to the GDPR even if not physically located in any of the EU Member States.
It is reasonable to expect that the GDPR may eventually be mirrored in the British legislation. This “UK-GDPR” would then apply to every company based in the United Kingdom that processes personal data. Very similar to its European alter-ego, it is expected to apply to all foreign companies that don’t have an establishment in the United Kingdom but that offer goods or services to data subjects situated in the UK or monitor the behavior of data subjects located in the UK.
An eventual duplication of the DPO role
With the arrival of Brexit a question arises: will companies outside the EU that currently have a DPO in the UK have to appoint a second DPO based in one of the EU Member States?
According to the GDPR, the DPO must be “easily accessible from each establishment”. A DPO based in the UK wouldn’t be against this principle of accessibility. However, the Article 29 Data Protection Working Party considers that the DPO must be located in the European Union. Even if the opinions and recommendations of the WP29 are not legally binding, it is very likely that most companies will choose to move their DPO to an EU country.
It is not unlikely that the “UK-GDPR” may bear similar provisions, strongly recommending the localization of the DPO in the UK. If this scenario becomes reality, companies who do business involving both EU and UK data subjects may find themselves in a situation where the role of the DPO will need to be duplicated to respect both Regulations.
What about the Legal Representative?
According to the GDPR, data controllers and data processors established outside the EU must appoint a legal representative located in one of the EU Member States. A direct consequence of the Brexit is that the companies who had opted for the UK as the location of their legal representative will now have to localize them in the EU.
In the post-Brexit era, the UK is likely to maintain the requirement for the legal representative to be located in the country. In that context, the concerned business will need to consider duplicating the role to respect both the requirements of the EU and of the UK.
If you desire to have more information about the impact of Brexit on your data protection policy, don’t hesitate to contact Privacy Praxis. We offer a wide range of services related to data protection and the compliance of your information systems with the GDPR. Privacy Praxis is able to cover your DPO needs in the EU and in the UK and help you appoint legal representatives through its partners.