Pursuant to Article 27 of the GDPR, organisations (i.e. controllers or processors) not established in the European Union are required to appoint a representative in the EU when they process personal data within the scope of the GDPR.
Following the €525,000 fine passed down to Locatefamily.com on 12 May 2021 by the Dutch Data Protection Authority for failure by the company to appoint an EU GDPR representative in the EU, the topic of representatives has been under scrutiny again, this time by the High Court of England and Wales (in a pre-Brexit context).
In the case of Rondon v LexisNexis Risk Solutions UK Ltd, a question arose as to interpretation of the EU GDPR, in relation to whether a representative of a foreign controller could be liable in respect of breaches of the EU GDPR for which the controller is liable.
Facts of the case
The claimant, Sanso Rondon, brought a claim against the EU representative of World Compliance Inc, a company that owns a database designed to assist subscribing businesses comply with laws combating money laundering and terrorism finance. The database contains profiles of individuals, Rondon being among these individuals.
Rondon objected to the profile and held that World Compliance Inc (“WorldCo”) had not respected his rights under the EU GDPR. Rondon issued his claim against LexisNexis Risk Solutions UK Ltd (“Lexis”), the representative of WorldCo, holding that Lexis was liable in respect of breaches for which WorldCo was the controller. Lexis applied for the claim to be terminated as a result of it being brought against the wrong defendant, interpreting the EU GDPR as holding that a representative cannot be held liable for the actions of a controller.
Both parties acknowledged that the case turned entirely on the interpretation of what the EU GDPR says about the role and functions of representatives.
The judgment handed down on the 28 May 2021 considered the different interpretations put forward by Rondon and Lexis, ultimately finding that the EU GDPR gives representatives “a bespoke, limited but important role which supports and is ancillary but not alternative to extra-jurisdictional enforcement against Art.3.2 controllers”. Thus concluding that representatives cannot be help liable in place of controllers.
Interpretation of representative liability
The conclusion centred around four interesting interpretational points.
- The EU GDPR creates the representative role with specificity, it does not unambiguously provide for any such liability. If this was the intention of the EU GDPR, linguistically this would have been made clear.
- If the intention was for representatives to ‘stand in the controller’s shoes’ for enforcement purposes, representatives would be required to provide remedies which involves direct access to and operations on the personal data themselves. This does not appear to be the intention under the EU GDPR. Enforcement powers are imposed on authorities as a result of the power controllers and processors have over personal data on a day to day basis/how and why personal data is processed. A representative does not have such power.
- Similarly, if the intention was for representatives to ‘stand in the controller’s shoes’, the package of duties explicitly set out for representatives would be irrelevant and no difference would be made between the investigation/corrective powers that Art 58 provides for if both could be actioned against the representative.
- The EU GDPR in fact appears to aim at excluding representative liability as opposed to promoting it, suggesting that Article 27.5 indicates that representative liability could not be cumulative with controller liability.
The key counter argument by Rondon to this interpretation was that the final sentence in Recital 80 holds that “the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”. Although at face value persuasive, the court concluded that when read alongside Art 27.5, the rest of recital 80, and properly contextualised alongside the four points identified above, the statement is insufficient to overrule the interpretation the court takes in this case. The court concludes by saying “if the GDPR had intended to achieve 'representative liability' then it would necessarily have said so more clearly in its operative provisions; and that it is a proposition on any basis too weighty to be blown in by the 'interpretative sidewind' of the last sentence of Rec.80”.
A pragmatic conclusion
The ruling indicates a pragmatic and fulsome exploration of the concept of representative liability – clearly indicating that a representative’s liability is only applicable in relation to its own statutory obligations. Article 27 and Recital 80 have previously caused uncertainty and as such, this is likely to be a welcome precedent for those in the role of representatives to clarify their status in relation to enforcement and liability over controller/processor actions.
Although the judgement was in the context of the EU GDPR pre-Brexit, it is expected that this case can still be used as a useful precedent under the UK GDPR.