18 Feb 2022
Written by Christina Christodoulou
Under the GDPR, controllers or processors not established in the European Union are required to appoint a representative in the EU, and now post-Brexit a representative in the UK, when they process personal data within the scope of the GDPR or the UK GDPR respectively. The representative serves as an important mechanism for ensuring the GDPR is complied with even when the controller or processor is outside the EU. In a recent case before a UK Court, the relationship between a data controller or processor and the appointed representative and their potential liability, derived from their obligation towards the data subjects, have come under thorough examination.
The General Data Protection Regulation’s (“GDPR”) extraterritorial scope, set out in Article 3(2), extends to non-EU-based data controllers or processors who offer goods and services to data subjects in the EU/EEA, or who monitor data subjects’ behaviour in so far as that behaviour takes place within the EU/EEA. Organisations who fall within this extra-territorial scope are under obligation to designate a Data Protection Representative (“DPR”) in the EU/EEA. To elaborate further, Article 27 states that where a controller or processor falls within the extraterritorial application of Article 3(2), unless certain exemptions apply, they are required to designate a legal or natural person established in the European Union, who will represent them with regard to their respective obligations under the GDPR. A DPR must be designated in writing and details should be included in the appointing organisation’s Privacy Notice. The GDPR mandates for specific obligations for the DPR, of which the main is to communicate with the data subjects and supervisory authorities, in place of the processor or controller, on all issues related to processing, for the purposes of ensuring compliance with the GDPR. The availability of a DPR is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.
A possible pitfall, however, lies in the wording of Recital 80 which indicates that: “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor
”. This wording, in particular, does raise questions about the potential representative liability, which greatly concerned those considering whether to appoint a Representative, and those considering whether to be appointed.
Moreover, in November 2018, the European Data Protection Board (“EDPB”) issued draft guidance, that reinforced the idea of representative liability where the organisation does not comply, by stating that data protection authorities should be able to “initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable
”. This was especially worrying for many organisations which had taken the role of DPRs for organisations.
However, the EDPB’s the finalised Guidelines 3/2018, adopted on 12 November 2019, attempted to reduce the confusion by opining that that ‘’The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union”,
hence having the opinion that the Representative is not liable for the organisation’s GDPR violations.
This notable change of stance, in addition to the aforementioned wording of Recital 80, especially due to the non-binding character of EDPB’s opinion, still left a certain degree of uncertainty on whether the GDPR truly envisages for DPRs’ liability to extend from their own core obligations (i.e., Article 27, Article 30 and 58(1)(a) to also cover obligations of the controller or processor and therefore be responsible to stand in for their appointer for enforcement and remedial purposes.
A recent judgement by a UK Court has provided clarity on the matter, as analysed below.
The Recent Development Regarding the Liability of Representatives -UK High Court Decision
In the fairly recent case Baldo Sansó Rondón v. LexisNexis Risk Solutions UK Ltd, an important ruling was provided by the High Court in London, regarding DPRs and liability. The facts of this particular case are the following: the defendant, LexisNexis Risk Solutions, acted as the DPR for World Compliance Inc, a US company that operated as the controller of a database containing individual profiles for the purpose of helping its clients comply with money laundering and terrorist financing laws. The claimants in this case, a businessman residing in Italy, had discovered that their profile was included in this database. He objected to this and brought a claim against the defendant, to the High Court in London, alleging a number of breaches of the GDPR. The defendant applied for the claim to be disposed of without a trial, arguing that the claim was brought against the wrong defendant as a DPR cannot be held liable for the actions of the respective data controller. Consequently, the UK Court found itself having to interpret the GDPR, specifically Article 27(4) and Article 27(5), and conclude as to whether a DPR could be held liable:
Article 27(4): “The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.”
Article 27(5): “The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.”
To summarise briefly the arguments presented by each side, firstly, the defendant argued that the phrase “to be addressed”,
in Article 27(4), indicated that a DPR operates as a point of contact with the appointing controller and the phrase “without prejudice to”
, in Article 27(5), implies that they neither stand as a proxy of nor in conjunction with the controller, in legal actions raised for non-compliance with the GDPR. In turn, the claimant pointed out that the diction of Article 27(4), stating that the DPR is “mandated”
to be addressed on “all issues…for the purposes of ensuring compliance”
, reveals that the representatives are intended to stand in the shoes of their appointing controllers for enforcement and remedial purposes. Additionally, the claimant contended that the purpose of Article 27(5) is to confirm that the DPR does have legal liability, which is in addition to and not in substitution for the data controller.
The Court held that though the DPR had a “considerably fuller role than a mere post-box”
the GDPR does not confer any obligations on DPRs that suggest an intention to make them liable for the entirety of the controller’s responsibilities. Furthermore, the Court maintained that the European Data Protection Board’s (“EDPB”) Guidelines 3/2018, clarify that the DPR is not itself responsible for complying with data subject rights and that their role is to facilitate the communication between data subjects and the controller, as well as any informational and procedural exchange between the supervisory authority and the controller. Lastly, the Court proclaimed that Recital 80 should be read in conjunction with Article 27(5), which – when analysed – do not, in fact, provide for the existence of liability for DPRs.
In consummation, the judgement by the UK Court has aided in the clarification of the parameters surrounding the issue of the DPR’s liability. Moreover, it further consolidates the concept that the DPR was introduced with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR and not to establish a substitutive liability of the representative in place of the controller or processor it represents in the Union. However, it should be noted that this does not signify that DPRs are exempt from all liability under the GDPR, but this liability is limited to their own distinct obligation, i.e. the duty to facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights are effective, their obligation to maintain a Record of Processing Activities (Article 30) and to cooperate with supervisory authorities, in order to enable them to launch an investigation and/or enforcement proceedings against the controller or processor (Article 58(1)(a)).
All in all, the role of the DPR appears to be much less onerous after the UK Court’s judgement has quashed the notion of joint and/or vicarious liability resulting form the controller’s or processor’s non-compliance.
The DPR’s core functions, as illustrated in the UK Court’s judgment, are indeed necessary to provide local transparency and availability to data subjects, as well as local regulatory co-operation and thus organisations subject to the extraterritorial scope of the GDPR shall assess or reassess whether they are legally obliged to appoint a DPR in order to comply with the GDPR end enhance their availability and transparency towards the data subjects and supervisory authorities.