On 1st October GL Law merged with national law firm Shakespeare Martineau as part of an exciting growth plan. To find out more read the full story here. If you have any urgent queries please reach out to your usual contact, email, or call 0117 906 9400.

Home > News > Do you have EU clients? Then you may need an EU Data Representative

Do you have EU clients? Then you may need an EU Data Representative

19 January 2021 |

In this guest blog article Marcus Broix, Director at Trade with Europe Ltd, informs us about the new GDPR requirements. Trade with Europe are a one-stop solutions partner for barrier-free trading with Europe and the rest of the world, in Bristol, UK. 

If you run a UK business with a client base in the EEA (EU countries plus Norway, Liechtenstein and Iceland) it is likely you will need to appoint an EU Data Representative, a requirement which came into effect on the 1st Jan 2021 under the EU-UK Trade and Cooperation Agreement.

Will this affect your business?

Yes, if you

  • have no offices, branches or other establishments in the EEA.
  • process data of individuals in the EEA on a regular basis or monitor their behaviour. 

Are there any exceptions?

Yes, data processors based outside the EEA are exempt if

  • they only process data very occasionally.
  • they do not present risks to “rights and freedoms” of EU data subjects.
  • they do not process sensitive personal data as in the special data categories.
  • their organisation is a public body.

Here are some examples

If you are a retailer or service provider regularly selling to clients in the EEA and therefore hold a customer data base you will definitely need an EU Data Representative.

If you offer niche products via an online marketplace and sell these to individuals in the EEA a few times a year, then this would be negligible (according to Art. 27 Par. 2 EU GDPR), therefore you would not need to appoint one.

What are the fines in case of breach of GDPR?

The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

What are the responsibilities of an EU Data Representative?

In accordance with Article 27 and Article 30 EU GDPR the tasks comprise of

  • the representation of your organisation before all supervisory data protection authorities in the EEA.
  • maintaining Records of Processing Activities (ROPA).
  • notifying you of any changes regarding EU data protection legislation and other relevant data protection regulations in the EU.
  • liaison with affected data subjects regarding requests or complaints.
  • the endeavour to reach an out-of-court settlement in case of breach of GDPR.

This affects my business – what do I need to do?

Search for an EU Data Representative, this can be an individual or an organisation based in the EEA. Your Representative will cover you for the whole EEA, however, it might be an advantage to appoint one in the country you have the most dealings with.

The legal minimum requirement for the appointment would be by submitting a letter, which must include the following information: your company name and address, your EU Representative’s name and contact details and a reference to the need for the appointment according to Article 27 EU GDPR.

Further, you should sign a service contract with your Representative governing the conditions of the appointment (pay, hours worked, termination notice, etc.), clauses balancing liability, an indemnity clause and an NDA.

Once everything is set up you need to publish the details of your EU Data Representative via your Privacy Policy, so regulatory bodies and data subjects can contact them. After all your Representative will be the first port of call for third parties and can also be held partially liable (you are still fully liable) for any breaches.

Trade with Europe Ltd provides one-stop solutions for UK businesses to export and grow European markets. Circumvent trade barriers and manage your EU trade from the UK with only minimal disruption to your everyday business.

Take a look at this update from the GL Law corporate team for more information about the legal aspects of post-Brexit data protection including international data transfers and SCCS. To contact GL Law please call 0117 906 9400 or email 

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.

  • What can we help you with?