- Solicitors For Business
- Solicitors For You
- About Us
- News & Events
Can Estates and Letting Agents Deal with EEA Clients After Brexit21st December 2020 Commercial Litigation
One of the key questions for the future of data protection compliance in the UK is the situation after Brexit. In particular, the UK is part of an overall data protection regime which embraces the entirety of the EEA. If we leave the EEA, especially if we leave with no deal, we depart the EEA data protection mechanism immediately, unless something else is put in place. This means that businesses, including letting and estate agents, who process the personal data of EEA nationals will no longer be able to do so easily. This is because our membership of the EU meant that previously we were part of the GDPR regime and so automatically considered a “safe pair of hands” for that purpose. If we are not within the EEA and do not have a specific deal covering the GDPR then UK businesses will be like any other third-country business. In other words, UK business will get no better treatment than a business from China or South Africa for example.
What will business need to do?
This will only affect agents who have clients or third parties (tenants and property buyers) who are in the EEA. If an agent is dealing entirely with UK nationals they will simply need to continue to comply with the data protection requirements in the UK, which they should be doing already.
For agents who have clients or third parties such as tenants or property buyers coming from elsewhere in the EEA the obligations will be a little different. Firstly, they will need to comply with the GDPR. Of course, as the UK is currently within the GDPR all agents should already be GDPR compliant and this will not be a significant burden initially. However, the prime minister has already suggested that the UK will create its own data protection regime and so it is possible that agents will find themselves having to comply with a UK regime as well as the GDPR.
The most difficult aspect of compliance is that the GDPR imposes an absolute requirement on business to have a representative within the EEA if they are processing personal data from EEA nationals. This means that a UK business, such as a letting agent, that is processing personal data from landlords in France, Italy, or any other EEA country must either have an office in an EEA country or have entered into a relationship with a person or organisation established in the EEA to represent them for the purposes of the GDPR. There is no particular rule on where exactly in the EEA that representative must be but the norm is to have them in the country in which most business is being done. So if an agent had predominantly Spanish clients with a few from Ireland then the right place to have a representative would be Spain. There is no need to have more than one representative though so in the above example a representative in Spain would be fine even though some clients are in Ireland or indeed any other EEA country. It is also important to note that the current location of the individuals is not relevant, it is their residency status that matters. So if I deal with holiday lets and the occupiers are EEA nationals I will still need an EEA based GDPR representative because although they are coming to the UK and I am providing the service here, they remain EEA nationals and protected by the GDPR in relation to their personal data.
What should agents do now?
It remains possible that a deal will be done and that this issue will be resolved. But it would be sensible for agents, especially those with substantial EEA client bases, to take steps to prepare for this now.
It may be that agents will look at the people they are dealing with, find that relatively few of them are from outside the UK, and make a decision not to involve themselves in the issue. This will mean they will not need to arrange an EEA based GDPR representative but will also mean that they will not be able to deal with anyone from the EEA at all. However, this may be the more economic option and notably, when the GDPR came into effect, several non-EEA based organisations on the internet started blocking access from the EEA to their websites in order to avoid the necessity of having an EEA-based GDPR representative.
What can you do to help?
JMW solicitors is able to assist with organising suitable GDPR compliant representatives in most EEA countries. In several countries these are already set up and they can be quickly organised in other countries as well. We can quickly assist agents in assessing whether they need a representative and prepare the documents required to put that arrangement in place.