Would we need an EU representative and a UK rep post brexit if we don’t have an establishment in Europe/uk?
Yes, you would need both. An EU Representative AND a UK rep. This might change during the negotiations. But right now the scenario would be that due to Article 27 you must appoint both. That representative would need to be established in a member state where you process the majority of the data.
The GDPR does not state where a DPO must be located, it states that the DPO must be easily accessible from each establishment.
A UK DPO in a European company would be fine. The EADP has recommended that organisations processing data in both the UK and EU should appoint a DPO in the EU, however this is not a requirement of the regulation. Smaller organizations who have one DPO right now should be able to continue with one DPO.
If you do decide to move the location of your DPO, you must inform the lead or relevant Supervisory Authority(ies) of their contact details.
No, there should be no impact. The “reasonable technical and organisational measures” expectation of Article 32 remains unchanged, as do the Individuals’ rights in terms of the right to be forgotten etc. The Article 5 principles of the EU and the UK GDPR will remain the same, everything you are doing now under the EU GDPR, you should continue doing under the UK GDPR.
Currently all personal data moving from the EU/UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. The Privacy Shield is designed to ensure the free flow of personal data between the EU and US while at the same time obligating US companies to implement similar protections for EU’s residents’ data as that offered by the GDPR.
The EU/US Privacy Shield will still apply to the UK up until the end of the transition period (currently 31st of December 2020), therefore it is essentially business as usual until then. After this time, the UK has stated that it will recognise the Privacy Shield framework as adequate for UK to US personal data transfers.
UK companies should confirm that Privacy Shield certified organisations that personal data is transferred to have made these updates and that they renew their certification annually
Entities that rely on Privacy Shield for transferring personal data from the UK should keep these requirements (and all other Privacy Shield requirements) in mind when reviewing their compliance materials for Privacy Shield recertification.
What if I, an EU company, incidentally have employees working from within the UK, when traveling for example? Is that still allowed?
Yes, it is still allowed. The scenario is no different to now for when those same employees are travelling to any other (non-adequate) country outside of the EU. You would be expected to implement appropriate technical and organisational measures to safeguard the data being processed between you and the employee.
In order for the Article 3 extra territorial scope of the GDPR to apply, subjects need to be ‘resident’ in the EU. This therefore also includes non-EU citizens who are living/resident in the EU. If the subject you describe (whilst being an EU citizen) is resident in a non-EU country (as the UK will be), then the EU GDPR would not apply to that subject. The UK GDPR would however apply. If you are based in (say) Spain, but processing data on a UK resident (from Spain), then you would caught by the extra territorial scope of Article 3 from the UK GDPR.
Can you confirm, if you choose a lead authority, for example the ICO, does this mean that they are the only authority that can impose a penalty or can the EU country authority impose in addition to the ICO?
The ICO are not necessarily the only authority that can impose a penalty, as should an issue affect a large number of data subjects in a particular member state, then the authority in that state may require their involvement. However the specific purpose of the one-stop-shop is to significantly reduce the need for more than one authority to be involved. Remember that the ICO can no longer be your lead authority after the 31st of December 2020, so you will need to nominate a authority from the remaining 27 member states.