Are GDPR Article 27 representatives liable? Cynthia O'Donoghue summarises a recent decision from the High Court that suggests not.
The English High Court delivered an important judgment earlier this year in Sanso Rondon v LexisNexis Risk Solutions UK Ltd  EWHC 1427 (QB).
Where an organisation based outside the EU is subject to the EU General Data Protection Regulation (GDPR) either because they sell goods or services to, or monitor the behaviour of, individuals, they are usually required to appoint a representative. Since Brexit where such processing involves individuals in the UK, a UK based representative is also required under the UK GDPR.
This case concerned the liability of the UK representatives of data controllers based outside the UK. The High Court struck out the claim and held that Article 27 GDPR does not create ‘representative liability’.
The claimant Mr Sansó Rondón brought a claim against LexisNexis Risk Solutions, the designated ‘representative’ of U.S. company World Compliance Inc. (WorldCo). WorldCo is the controller of a database containing millions of profiles of individuals. The claimant argued WorldCo’s processing of his personal data in producing a profile of him breached the GDPR. The defendant applied for the claim to be struck out, or alternatively for summary judgment, arguing that a representative cannot be held liable for the actions of a controller and the remedies sought can only be obtained from a controller.
The judge could find “no positive encouragement for ‘representative liability’ anywhere other than the last sentence of Recital 80.” The last sentence of Recital 80 states “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.” The judge concluded that if the GDPR had intended to achieve ‘representative liability’ it would have “said so more clearly in its operative provisions”.
The judgment highlighted that a representative does not have the power a controller or processor has “on a day to day basis over how and why data are processed”. The European Data Protection Board (EDPB) guidelines also state that the representative “is not itself responsible for complying with data subject rights”. From a practical perspective the judge noted that the representative does not have direct access to and operations on the personal data to allow them to rectify and erase data. The functions a representative has instead fit its place in the “triangle of relationships between controllers, data subjects and the ICO”.
The judge held the Article 27 representative could not be held liable for the actions of WorldCo as a controller and the remedies sought could only be obtained from WorldCo and not from its representative.
Until now it has not been clear to what extent an Article 27 representative may be held liable to enforcement action. This case provides a welcome confirmation from the courts to those organisations with GDPR representative services. The claimant has been granted permission to appeal so we will report on any future developments.
Cynthia O'Donoghue is a Partner at Reed Smith, a trustee for the Society of Computers & Law, a member of the City of Law Society Data Committee and serves on the MedTech Europe data protection committee.
This article was first published on the Reed Smith Technology Law Dispatch blog and is reproduced here with permission.