ICO (UK) - Sanso Rondon v LexisNexis Risk Solutions UK Ltd (2021) EWHC 1427 (QB) (28 May 2021) QB-2020-002788

From GDPRhub
Revision as of 08:31, 2 August 2021 by 10.90.129.140 (talk)
ICO (UK) - Sanso Rondon v LexisNexis Risk Solutions UK Ltd (2021) EWHC 1427 (QB) (28 May 2021) QB-2020-002788
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 2 GDPR
Article 3 GDPR
Article 27 GDPR
Article 79 GDPR
Article 80 GDPR
Type: Other
Outcome: n/a
Started:
Decided: 28.05.2021
Published: 28.05.2021
Fine: None
Parties: MR BALDO SANSÓ RONDÓN
LEXISNEXIS RISK SOLUTIONS UK LIMITED
National Case Number/Name: Sanso Rondon v LexisNexis Risk Solutions UK Ltd (2021) EWHC 1427 (QB) (28 May 2021) QB-2020-002788
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: BAILII (in EN)
Initial Contributor: n/a

The High Court of England and Wales ruled that data controllers and processors outside the EU that nominate a representative under Article 27 GDPR, do not outsource liability for any breaches of the legislation. A representative can only be held responsible for its own obligations.

English Summary

Facts

Mr Baldo Sansó Rondón objected to US company WORLD COMPLIANCE INC processing and sharing his data. Mr Rondon brought his claim against LEXISNEXIS RISK SOLUTIONS UK LTD which was designated by WorldCo’s as its representative in the UK according to GDPR Article 27.

Holding

The court ruled that the purpose of Article 27 GDPR is primarily to make it easier for data subjects and enforcement bodies to contact and communicate with an out-of-jurisdiction controller. Representatives mandated by controllers do not ‘step into the shoes’ of controllers to create the sort of ‘representative liability’ argued for by Mr Rondon.

The Claimant had given weight to the final sentence of GDPR Recital 80 which states: “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”. However, the court preferred the following guidance provided by the European Data Protection Board (EDPB): “The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and article 58(1) a of the GDPR.” In other words, a representative can only be held responsible for its own obligations, not for the actions of the controller or processor that appointed it.

Comment

This ruling sheds light on an issue that has been puzzling litigators.

Although the last sentence of Recital 80 appears to conclude without much doubt that representatives can be sued in place of controllers, both sides acknowledged that the recitals may be used as an aid to construction of the operative provisions of the GDPR. They are not intended to have distinct legal effect. If the recitals and operative provisions are in conflict, then precedence must be given to the operative provisions.

The Claimant’s interpretation of GDPR Article 27 would make a representative the local embodiment of a foreign controller, an entity within the jurisdiction on which the GDPR could bite with legal force to ensure data subjects have an effective remedy for the purposes of compliance with the GDPR.

The Defendant argued that data subjects’ rights and remedies in respect of foreign data controllers are already enforceable against them in the normal way that any rights are enforced extra-jurisdictionally.

An interesting point was made by leading Counsel for the Defendant that “bad guys do not appoint Article 27 representatives”. In other words, the decision by a foreign controller to appoint a representative is a signal of good intent.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.