A “no deal Brexit” or “Brexit” with a withdrawl agreement is now likely to happen in the next month or so, following the EU granting an extension until the 31st of January 2020 for the UK government to obtain parliament’s approval to the final terms of the withdrawl agreement and the general election in the UK on the 12th of December. SaaS suppliers and SaaS customers need to take steps now to ensure that they comply with the requirement to appoint an EU Representative under the GDPR, where they will no longer have any establishment in the EU, after Brexit.
When must an EU Representative be appointed.
A SaaS supplier or SaaS customer must appoint an EU representative unless:
- the processing is occasional and does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or
a public authority or body: or
- they are a public authority or body.
The EU representative is appointed by the SaaS supplier or SaaS customer to deal with supervisory authorities and data subjects on all issues related to the processing of personal data, for the purposes of ensuring compliance with the GDPR.
Do you have an EU Establishment
The GDPR does not define establishment.
However, Recital 22 of the GDPR says:
“Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”
Therefore if a UK SaaS supplier or customer has a subsidiary incorporated in a Member State of the EU, this subsidiary will be fully subject to the GDPR, if it offers goods or services to individuals located in the EU. In this case the UK SaaS supplier or customer would not need to designate an EU representative, as it would have an establishment in the EU.
Where a SaaS supplier or customer does not have a subsidiary established in a Member State of the EU they will need to appoint an EU representative.
Who can be an EU Representative
An individual or a company. The individual or company does not have to work for or in the case of a company be owned by a linked to the SaaS supplier or SaaS customer.
Does the EU Representative have to be located in the EU
The EU representative must reside or be established in a Member State of the EU in which relevant data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.
Appointing an EU Representative
The appointment must be in writing.
EEA based individuals whose personal data is being processing should be provided with the details of the EU representative.
Details of the EU representative must also be made easily accessible to supervisory authorities.
Other Brexit Considerations
SaaS suppliers and SaaS customers should be aware that following Brexit, the UK version of the GDPR will require a SaaS customer or SaaS supplier located outside of the UK, i.e. in the EU, to appoint a UK representative.
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – GDPR – EU-US Privacy Shield Invalid
- SaaS Agreements – Brexit – Preparing for a “no deal” Brexit
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – Brexit – EU data Transfers to the EU after Brexit
- SaaS Agreements – Brexit – Amendments to SaaS Terms and Conditions
- SaaS Agreements – GDPR – The General Data Protection Regulation