UK GDPR Article 27: Legal Rules and Criteria for Appointing Representatives

Many businesses today operate globally and engage with UK customers by selling products, providing services, or analysing user online behaviour. Where personal data is involved, the UK GDPR rules can apply even to businesses outside the UK. The UK GDPR sets important legal obligations for businesses that process UK residents’ personal data. Suppose your company operates outside the UK but processes data about individuals in the UK in specific ways. In that case, you may need to comply with Article 27 of the UK GDPR, which requires the appointment of a representative.

This article explores the importance of UK GDPR compliance, the legal rules and criteria under Article 27, and other common data protection law compliance considerations for businesses outside the UK that are subject to the UK GDPR.

Why is Data Protection Compliance Important for a Non-UK Company?

Due to its extraterritorial reach, the UK GDPR applies to many non-UK businesses. You must comply with it if you offer goods or services to individuals in the UK or monitor the behaviour of UK individuals online. 

Compliance can help protect your business from legal penalties and strengthen your market position in the UK. Many UK companies conduct UK GDPR due diligence before forming partnerships to verify their business partners’ compliance. Potential partners may reject working with you if your business cannot demonstrate you are operating in a compliant manner. Maintaining a strong compliance record can positively impact your business,  giving your business a competitive advantage. UK customers and partners may prefer working with international companies that provide them with confidence that they are prioritising data privacy and reducing risk to the data of individuals. 

When Does Article 27 Require Your Business to Take Action?

Article 27 of the UK GDPR sets out a key legal requirement for certain controller or processor businesses without a UK presence to appoint a representative in the UK. This is vital if your company does not have a UK office, branch, or establishment but offers UK individuals goods or services or monitors their behaviour.  If your business meets these conditions, the UK GDPR requires you to comply with Article 27.

A UK representative will act as your local contact for UK GDPR compliance. The representative will liaise with UK residents and the ICO and maintain records of your data processing activities. Their contact details must be available to individuals and regulators, such as on your website or privacy notice.

What Does the ICO Say About Article 27 Compliance?

The ICO set clear expectations for businesses regarding the requirements of Article 27.

The ICO guidance provides valuable insights.  It is essential to note the following:

• authorise, i.e. appoint your UK representative in writing;
• understand that the representative can be an individual or an organisation based in the UK;
• you should ensure you provide your representative’s details to UK individuals. Also, the details should be easily accessible to the ICO;
• written appointment terms should clearly set out your representative’s role and obligations – e.g. in a contract; and
• appointing a representative does not remove your legal responsibilities or liability under UK GDPR – remember you are still accountable for your compliance. 

Businesses outside the UK should understand the rules around appointing a representative and take steps to comply with these requirements where necessary. 

Are There Any Exemptions Under Article 27?

As set out in the ICO’s guidance, your business does not need to comply with Article 27 if it is a public authority or if your processing is:

• occasional; 
• poses a low risk to the data protection rights of individuals; and
• does not involve large-scale use of special category or criminal offence data.

However, you should carefully review these criteria to determine whether your processing is ‘occasional’. Assuming an exemption applies without a full assessment can create legal risks of non-compliance. If you are unsure if you need to comply with Article 27, you should seek legal advice to confirm your obligations. 

A data protection lawyer in the UK will work to understand your data processing activities carefully, guide you on whether you need to appoint a UK representative and advise you on how to protect your business when doing so. 

Is Compliance With Article 27 Needed Where You Have a DPO?

Having a Data Protection Officer (DPO) does not mean you do not need to comply with Article 27 where necessary. These two obligations serve different purposes.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Your business must appoint a DPO in certain circumstances where required by law. A DPO will work within your organisation to oversee and foster compliance, advise on legal obligations, and monitor internal practices and policies around data protection. 

Compliance with Article 27 (on the other hand) applies specifically to businesses outside of the UK processing UK personal data. Even with a DPO, you must still meet Article 27 requirements if your business meets the criteria.

Other UK GDPR Compliance Obligations 

Compliance with Article 27 is only one part of your UK GDPR obligations if your international business is subject to the UK GDPR rules. 

Mapping your data flows to understand what data you collect, why, and how you process it is a key first step to determining your UK GDPR compliance obligations. 

Common Considerations

While these will vary for different international businesses, common considerations for international companies acting as data controllers include the following:

• you must comply with UK GDPR principles;
• you must provide a UK GDPR-compliant privacy notice to UK individual data subjects (e.g. customers and staff);
• you will need to implement robust security measures to protect personal data from breaches or unauthorised access;
• you also need a data breach response plan to notify the ICO and affected individuals when necessary and implement various other policies and procedures to comply with your obligations and facilitate data subject rights; and 
• where you transfer personal data outside the UK, you must ensure international data transfers comply with UK GDPR rules. 

Navigating these requirements can be highly complicated for a non-UK business without knowledge of UK data protection laws, so working with a UK data protection solicitor is the best approach to help you confidently tackle your obligations and put your mind at ease when trading in the UK. Taking these obligations seriously and prioritising compliance is essential to avoid risk and potential penalties. 

Key Takeaways

Non-UK businesses subject to the UK GDPR rules can have a range of essential obligations. A UK representative may be required if your business processes UK personal data without a physical presence in the UK. It is necessary to carefully consider the criteria for appointing a UK representative under Article 27 and appoint one where necessary. Ignoring this requirement can lead to penalties and reputational harm. In contrast, prioritising UK GDPR compliance can help build credibility for your business and trust when operating in the UK market. 

If you need help reviewing your UK GDPR compliance, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page. 

Frequently Asked Questions