On 01 January 2021, the United Kingdom (UK) ceased to be a member state of the European Union (EU). One significant implication hereof is that, fundamentally, the application of EU legislation and regulation also stopped. One these is the EU General Data Protection Regulation (EU GDPR), the data protection regulatory framework of the EU. This article will briefly set out the similarities and differences between the EU GDPR and UK GDPR provisions that are most applicable to private companies. Also, the concept of the EU (GDPR) representative (as defined and regulated in both the EU and UK GDPRs) will be succinctly outlined with the view of providing companies with practical pointers.
The UK data protection regulation is set out in the UK GDPR along with the UK Data Protection Act of 2018. The UK GDPR came into effect on 01 January 2021, is founded on the EU GDPR (which also applied in the UK before Brexit) and has some differences to the EU GDPR “to make it work more effectively in a UK context”.
Adequacy Decision, Similarities & Differences between UK GDPR & EU GDPR
On 28 June 2021 the European Commission (EC) adopted an adequacy decision for the transfer of personal data to the UK (valid for an initial period of four years until 27 June 2025), which indicates that the EC deems the UK’s legislation and public institutions to provide adequate levels of protection for personal data that is transferred from the EU to the UK. According to the Commission’s Implementing Decision of 28 June 2021 on the adequacy, by the UK, in the protection of personal data by the UK (“EC Implementing Decision”), the following similarities and differences exist between the EU GDPR and the UK GDPR (as set out in the table below). The items in the table reflect those that would be most relevant for and between companies:
The EU Representative: EU GDPR Still Applies to UK Companies
Even though there are many similarities between the EU GDPR and the UK GDPR, UK companies will require to, among others, designate an EU representative. According to UK Information Commissioner’s Office, controllers and processors operating in the UK,
- who have no business presence in the European Economic Area (EEA) (in the form of branches, offices or other establishments), however,
- offer goods or services to individuals in the EEA or
- monitor the behaviour of individuals in the EEA,
- comply with EU GDPR in respect of such processing, and
- appoint an EU representative based in the EEA (and specifically, in the country, where some of the individuals’ personal data that is being processed, is located).
The EU representative
1. Must be duly appointed in writing and authorised to act on behalf of the said UK controller or processor in respect of EU GDPR compliance;
2. Is appointed to also deal with any EU supervisory authorities or EU data subjects;
3. May be a company, individual or an organisation established in the EEA;
4. Must be able to represent the UK controller or processor in respect of its EU GDPR obligations.
The adequacy decision that was granted in favour of the UK, by the European Commission, on 28 June 2021, makes the transfer and processing of personal data of the residents in these jurisdictions much easier. While there are also many similarities between the EU GDPR and the UK GDPR, the requisite for data controllers and processors to appoint GDPR representatives should not be undermined. We are your certified and trusted EU GDPR representative – at your service.
More details on:
 Para’s 2.2 – 2.3 of the EC Implementing Decision
 Para 2.5.7 (75) EC Implementing Decision
 The EEA comprises the 27 EU member states plus Iceland, Liechtenstein & Norway.