Pursuant to Article 27 of the GDPR, organisations (i.e. controllers or processors) not established in the European Union are required to appoint a representative in the EU when they process personal data within the scope of the GDPR.
Following the €525,000 fine passed down to Locatefamily.com on 12 May 2021 by the Dutch Data Protection Authority for failure by the company to appoint an EU GDPR representative in the EU, the topic of representatives has been under scrutiny again, this time by the High Court of England and Wales (in a pre-Brexit context).
In the case of Rondon v LexisNexis Risk Solutions UK Ltd, a question arose as to interpretation of the EU GDPR, in relation to whether a representative of a foreign controller could be liable in respect of breaches of the EU GDPR for which the controller is liable.
The claimant, Sanso Rondon, brought a claim against the EU representative of World Compliance Inc, a company that owns a database designed to assist subscribing businesses comply with laws combating money laundering and terrorism finance. The database contains profiles of individuals, Rondon being among these individuals.
Rondon objected to the profile and held that World Compliance Inc (“WorldCo”) had not respected his rights under the EU GDPR. Rondon issued his claim against LexisNexis Risk Solutions UK Ltd (“Lexis”), the representative of WorldCo, holding that Lexis was liable in respect of breaches for which WorldCo was the controller. Lexis applied for the claim to be terminated as a result of it being brought against the wrong defendant, interpreting the EU GDPR as holding that a representative cannot be held liable for the actions of a controller.
Both parties acknowledged that the case turned entirely on the interpretation of what the EU GDPR says about the role and functions of representatives.
The judgment handed down on the 28 May 2021 considered the different interpretations put forward by Rondon and Lexis, ultimately finding that the EU GDPR gives representatives “a bespoke, limited but important role which supports and is ancillary but not alternative to extra-jurisdictional enforcement against Art.3.2 controllers”. Thus concluding that representatives cannot be help liable in place of controllers.
The conclusion centred around four interesting interpretational points.
The key counter argument by Rondon to this interpretation was that the final sentence in Recital 80 holds that “the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”. Although at face value persuasive, the court concluded that when read alongside Art 27.5, the rest of recital 80, and properly contextualised alongside the four points identified above, the statement is insufficient to overrule the interpretation the court takes in this case. The court concludes by saying “if the GDPR had intended to achieve 'representative liability' then it would necessarily have said so more clearly in its operative provisions; and that it is a proposition on any basis too weighty to be blown in by the 'interpretative sidewind' of the last sentence of Rec.80”.
The ruling indicates a pragmatic and fulsome exploration of the concept of representative liability – clearly indicating that a representative’s liability is only applicable in relation to its own statutory obligations. Article 27 and Recital 80 have previously caused uncertainty and as such, this is likely to be a welcome precedent for those in the role of representatives to clarify their status in relation to enforcement and liability over controller/processor actions.
Although the judgement was in the context of the EU GDPR pre-Brexit, it is expected that this case can still be used as a useful precedent under the UK GDPR.
Bird & Bird Privacy Solutions offers UK and EU GDPR Representative services. Our representative services are provided by a team of expert lawyers and compliance advisors, with in-depth experience of working with EU and UK regulators and advising on privacy compliance projects. The team also works closely with our top-ranked data privacy legal specialists, enabling us to provide you with the legal guidance needed to respond effectively to inquiries by supervisory authorities or more complex interactions with data subjects.