Contributors
If you are intending to process the personal data of people in the UK or EU, you either need to be based in the UK or EU or have appointed a representative there. To date, the exact role of a so-called "Article 27 Rep" has been far from clear. We now have a first UK Court judgment on this topic, which provides some much needed judicial analysis in interpreting the role of representatives mandated under Article 27 of the GDPR on behalf of controllers or processors not established in the UK or EU. In the Court's words, the 'good guys' appoint Article 27 Reps and their mandate needs to clearly define the extent of their role. However, in the UK at least, Article 27 Reps cannot be liable for breaches of the GDPR by controllers or processors.
Although the judgment found against a scheme of 'representative liability', the Court did consider (at paragraph 74) that the role of an Article 27 Rep is
"…a considerably fuller role than a mere postbox ‘to be addressed’. Even the language of ‘conduit’ or ‘liaison’ does not fully capture the job the GDPR gives to representatives. The role is an enriched one, active rather than passive. At its core is a bespoke suite of directly-imposed functions. These are crafted to fit together with, and belong in the triangle of, the relationships between controller, ICO and data subject. The job focuses on providing local transparency and availability to data subjects, and local regulatory co-operation. And the appointment is of course an opportunity for foreign controllers to give representatives any other ambassadorial - ‘shop window’ or customer-facing - functions, additional to the core ‘mandate’ functions, as they consider desirable demonstrations of their compliance credentials."
Much, therefore, comes down to the written mandate given to the Article 27 Rep by the controller or processor. The core functions of an Article 27 Rep provided in the GDPR are:
- Maintaining a record of processing (Article 30(1) or 30(2))
- Making that record available (Article 30(4))
- Cooperating, on request, with a regulator in the performance of the regulator’s tasks (Article 31)
- Providing any information the regulator requires for the performance of its tasks (Article 58(1)(a)).
This position under the GDPR itself may be contrasted with Article 30 of the Spanish Organic Law 3/2018 on Protection of Personal Data and the Guarantee of Digital Rights. This provides that Spanish regulators may impose on the representative, jointly and severally with the controller or processor, the measures set out in the GDPR. Moreover, they can also impose liability to data subjects under Article 82 of the GDPR, with the controllers, processors and representatives being jointly and severally liable for the damage caused. The law in Spain would appear to go beyond the base requirements of the GDPR itself and seeks to establish a scheme of ‘representative liability’ that is not, according to the UK Courts, otherwise present in the GDPR or UK data protection law.
Following this judgment, it is important for controllers and processors to review (or put in place) mandates with Art 27 Reps, making sure that the scope of the role is clear, and that the controller's or processor's compliance credentials are being demonstrated.
Mr Baldo Sansó Rondón v LexisNexis Risk Solutions UK Limited [2021] EWHC 1427 (QB)
Mr Baldo Sansó Rondón (R) is an individual with Italian and Venezuelan citizenship residing in Italy. His claim related to a database maintained by World Compliance Inc. (WorldCo), a US company assisting businesses to comply with laws combating money laundering and terrorism financing. This database included a profile on R, which R objected to. LexisNexis Risk Solutions UK Limited (LexisNexis) is designated as WorldCo's representative under Article 27 of the GDPR. As WorldCo was out of jurisdiction, R's claims were made against LexisNexis.
Article 27 of the GDPR
The extraterritorial effect of the GDPR (or UK GDPR) is engaged where there is processing of personal data of data subjects who are in the UK/EU in relation to: (a) the offering of goods or services in the UK/EU; or (b) the monitoring of their behaviour as far as it takes place within the UK/EU. If the controller or processor is not located in the UK/EU, then Article 27 requires them to designate in writing a representative in the UK/EU, unless limited exceptions apply.
Article 27(4) of the GDPR requires that Article 27 Reps are mandated by the controller or processor to be addressed in addition to or instead of the controller or processor:
"…on all issues related to processing, for the purposes of ensuring compliance with [the GDPR]". Article 27(5) of the GDPR provides that the designation of an Article 27 Rep is "…without prejudice to legal actions which could be initiated against the controller or the processor themselves."
Recital 80 provides further context on the designation of an Article 27 Rep, which includes the following last sentence:
"The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor."
It is this recital that has led to much debate about whether Article 27 Reps could be liable if a controller or processor breaches the GDPR.
EDPB guidelines and the ICO's view
In respect of the final sentence of Recital 80, and as noted in the judgment at paragraph 32, the EDPB has clarified (in its "Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)") that:
"This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative, in accordance with articles 58(2) and 83 of the GDPR. The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and article 58(1)[a] of the GDPR".
The judgment also references (at paragraph 37) communications between the ICO and LexisNexis on the interpretation of Article 27, in which the ICO states:
"It is the view of the ICO that the role of an Article 27 representative of overseas data controllers and processors is limited to that of conduit of communications between the overseas entity and the ICO or relevant data subjects. Therefore the ICO is not seeking an interpretation of Article 27 that allows representatives to be held directly liable should a controller or processor they represent fail in their data protection obligations…An Article 27 representative does not undertake any other business activity related to the processing of the controller or processor, other than acting as a contact point for data subjects and the ICO. From the point of view of the ICO, the existence of a representative makes it easier to take action against a controller by acting as a conduit, but any enforcement action is directed against the controller itself."
The Court's findings
Mrs Collins Rice J found for LexisNexis in striking out R's claim. In identifying the challenge with the final sentence of Recital 80 (paragraph 96), the Court concluded (at paragraph 97) that:
"…Art.27 is not ambiguous about whether it requires that a representative stand in the shoes of a controller as a respondent/defendant to enforcement action: it does not create ‘representative liability’. The fact that Art.27 may not absolutely exclude the Claimant’s contended interpretation does not make it ambiguous."
Other than in the final sentence of Recital 80 (in respect of which the Court found "…no strong compulsion..."), the Court could find no basis for a scheme of ‘representative liability’, concluding:
"that if the GDPR had intended to achieve ‘representative liability’ then it would necessarily have said so more clearly in its operative provisions; and that it is a proposition on any basis too weighty to be blown in by the ‘interpretative sidewind’ of the last sentence of Rec.80." (paragraph 101).
