|
|
(One intermediate revision by one other user not shown) |
Line 1: |
Line 1: |
| {{DPAdecisionBOX
| | #REDIRECT [[EWHC - Sanso Rondon v LexisNexis Risk Solutions UK Ltd (2021) EWHC 1427 (QB) (28 May 2021) QB-2020-002788]] |
| | |
| |Jurisdiction=United Kingdom
| |
| |DPA-BG-Color=background-color:#023868;
| |
| |DPAlogo=LogoUK.png
| |
| |DPA_Abbrevation=ICO (UK)
| |
| |DPA_With_Country=ICO (UK)
| |
| | |
| |Case_Number_Name=Sanso Rondon v LexisNexis Risk Solutions UK Ltd (2021) EWHC 1427 (QB) (28 May 2021) QB-2020-002788
| |
| |ECLI=
| |
| | |
| |Original_Source_Name_1=BAILII
| |
| |Original_Source_Link_1=https://www.bailii.org/ew/cases/EWHC/QB/2021/1427.html
| |
| |Original_Source_Language_1=English
| |
| |Original_Source_Language__Code_1=EN
| |
| | |
| |Type=Other
| |
| |Outcome=
| |
| |Date_Decided=28.05.2021
| |
| |Date_Published=28.05.2021
| |
| |Year=2021
| |
| |Fine=None
| |
| |Currency=
| |
| | |
| |GDPR_Article_1=Article 2 GDPR
| |
| |GDPR_Article_Link_1=Article 2 GDPR
| |
| |GDPR_Article_2=Article 3 GDPR
| |
| |GDPR_Article_Link_2=Article 3 GDPR
| |
| |GDPR_Article_3=Article 27 GDPR
| |
| |GDPR_Article_Link_3=Article 27 GDPR
| |
| |GDPR_Article_4=Article 79 GDPR
| |
| |GDPR_Article_Link_4=Article 79 GDPR
| |
| |GDPR_Article_5=Article 80 GDPR
| |
| |GDPR_Article_Link_5=Article 80 GDPR
| |
| | |
| | |
| | |
| |Party_Name_1=MR BALDO SANSÓ RONDÓN
| |
| |Party_Link_1=
| |
| |Party_Name_2=LEXISNEXIS RISK SOLUTIONS UK LIMITED
| |
| |Party_Link_2=
| |
| |Party_Name_3=
| |
| |Party_Link_3=
| |
| |Party_Name_4=
| |
| |Party_Link_4=
| |
| |Party_Name_5=
| |
| |Party_Link_5=
| |
| | |
| |Appeal_To_Body=
| |
| |Appeal_To_Case_Number_Name=
| |
| |Appeal_To_Status=Unknown
| |
| |Appeal_To_Link=
| |
| | |
| |Initial_Contributor=n/a
| |
| |
| |
| }}
| |
| | |
| The High Court of England and Wales has ruled that data controllers and processors outside the EU that nominate a third party in the Union to represent them according to GDPR Article 27, do not outsource liability any breaches of the legislation.
| |
| | |
| The Claimant gave much weight to the final sentence of GDPR Recital 80 which states: “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.
| |
| | |
| However, the court preferred the following guidance provided by the European Data Protection Board (EDPB): “The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and article 58(1) a of the GDPR.”
| |
| | |
| In other words, a representative can only be held responsible for its own obligations, not for the actions of the controller or processor that appointed it.
| |
| | |
| == English Summary ==
| |
| | |
| === Facts ===
| |
| Mr Baldo Sansó Rondón objected to US company WORLD COMPLIANCE INC processing and sharing his data. Mr Rondon brought his claim against LEXISNEXIS RISK SOLUTIONS UK LTD which was designated by WorldCo’s as its representative in the UK according to GDPR Article 27.
| |
| | |
| === Dispute ===
| |
| Does GDPR Article 27 provide for representative liability that would allow enforcement action to take place against a designated representative instead of of the data controller?
| |
| | |
| === Holding ===
| |
| The court ruled that the purpose of Article 27 is primarily to make it easier for data subjects and enforcement bodies to contact and communicate with an out-of-jurisdiction controller. Representatives mandated by controllers do not ‘step into the shoes’ of controllers to create the sort ‘representative liability’ argued for by Mr Rondon.
| |
| | |
| == Comment ==
| |
| This ruling sheds light on an issue that has been puzzling litigators.
| |
| | |
| Although the last sentence of Recital 80 appears to conclude without much doubt that representatives can be sued in place of controllers, both sides acknowledged that the recitals may be used as an aid to construction of the operative provisions of the GDPR. They are not intended to have distinct legal, effect. If the recitals and operative provisions are in conflict, then precedence must be given to the operative provisions.
| |
| | |
| The Claimant’s interpretation of GDPR Article 27 would make a representative the local embodiment of a foreign controller, an entity within the jurisdiction on which the GDPR could bite with legal force to ensure data subjects have an effective remedy for the purposes of compliance with the GDPR.
| |
| | |
| The Defendant argued that data subjects’ rights and remedies in respect of foreign data controllers are already enforceable against them in the normal way that any rights are enforced extra-jurisdictionally.
| |
| | |
| An interesting point was made by leading Counsel for the Defendant that “bad guys do not appoint Article 27 representatives”. In other words, the decision by a foreign controller to appoint a representative is a signal of good intent.
| |
| | |
| == Further Resources ==
| |
| ''Share blogs or news articles here!''
| |
| | |
| == English Machine Translation of the Decision ==
| |
| The decision below is a machine translation of the English original. Please refer to the English original for more details.
| |
| | |
| <pre>
| |
| | |
| </pre>
| |