- The GDPR continues to apply substantively in the United Kingdom as national law under the name “UK GDPR” based on the European Union (Withdrawal) Act 2018.
- In addition, the Data Protection Act 2018 and the amendments made by the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019 remain applicable.
- According to Art. 27 UK GDPR, controllers and processors without an establishment in the UK must appoint a separate UK representative, even if they have an EU representative.
Since Brexit, English data protection law is essentially composed as follows:
- The GDPR continues to apply substantively, but no longer as a European regulation, but now as a “UK GDPR”, i.e. “Regulation (EU) 2016/679 […] as it forms part of the law of England and Wales, Scotland and Northern Ireland”., i.e., as national English law. This results from Section 3 of the European Union (Withdrawal) Act 2018.
- Furthermore, the English transposition law applies, i.e. the Data Protection Act 2018.
- In addition, with the coming into effect of Brexit, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 came into force. They mainly contain amendments to the UK GDPR and the Data Protection Act 2018.
An example of the interaction of these provisions is given by the rules on the representative in the United Kingdom, the UK Representative:
- Art. 27 of the GDPR requires the appointment of an EU representative under certain conditions.
- This also applies under the UK GDPR, now as English national law.
- However, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 amend the text of the GDPR. According to Schedule 1 paragraph 21, Art. 27 of the UK GDPR should be read as follows:
Article 27 Representatives of controllers or processors not established in the United Kingdom
1. where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the United Kingdom.
2. the obligation laid down in paragraph 1 of this Article shall not apply to:
(a) processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
(b) a public authority or body.
(Para. 3 omitted)
4. the representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, the Commissioner and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
5. the designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Controllers and processors outside the UK must therefore appoint a UK representative under the conditions of Art. 27 (UK) GDPR, even if they have already appointed an EU representative. Guidance on this can be found at the ICO. This is changed by the 4 – 6 month transition period for data transfers from EEA to UK nothingThis only relates to the appropriateness or admissibility of cross-border transfers, which has nothing to do with the duty to appoint.