EWHC (QB) - Sanso Rondon v LexisNexis Risk Solutions UK Ltd

From GDPRhub
EWHC - Sanso Rondon v LexisNexis Risk Solutions UK Ltd (2021) EWHC 1427 (QB) (28 May 2021) QB-2020-002788
Courts logo1.png
Court: EWHC (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 2 GDPR
Article 3 GDPR
Article 27 GDPR
Article 79 GDPR
Article 80 GDPR
Decided: 28.05.2021
Published:
Parties: MR BALDO SANSÓ RONDÓN
LEXISNEXIS RISK SOLUTIONS UK LIMITED
National Case Number/Name: Sanso Rondon v LexisNexis Risk Solutions UK Ltd (2021) EWHC 1427 (QB) (28 May 2021) QB-2020-002788
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): English
Original Source: BAILII (in English)
Initial Contributor: n/a

The High Court of England and Wales held that controllers and processors outside of the EU that nominate a representative under Article 27 GDPR do not outsource liability for breaches of the GDPR. A representative can only be held responsible for its own obligations.

English Summary

Facts

A data subject objected to US company WORLD COMPLIANCE INC processing and sharing their data. The data subject brought their claim against LEXISNEXIS RISK SOLUTIONS UK LTD which was designated by WorldCo’s as its representative in the UK according to Article 27 GDPR.

Holding

The court ruled that the purpose of Article 27 GDPR is primarily to make it easier for data subjects and enforcement bodies to contact and communicate with an out-of-jurisdiction controller. Representatives mandated by controllers do not ‘step into the shoes’ of controllers to create the sort of ‘representative liability’ argued for by the data subject.

The Claimant had given weight to the final sentence of GDPR Recital 80 which states: “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”. However, the court preferred the following guidance provided by the European Data Protection Board (EDPB): “The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and article 58(1) a of the GDPR.” In other words, a representative can only be held responsible for its own obligations, not for the actions of the controller or processor that appointed it.

Comment

This ruling sheds light on an issue that has been puzzling litigators.

Although the last sentence of Recital 80 appears to conclude without much doubt that representatives can be sued in place of controllers, both sides acknowledged that the recitals may be used as an aid to construction of the operative provisions of the GDPR. They are not intended to have distinct legal effect. If the recitals and operative provisions are in conflict, then precedence must be given to the operative provisions.

The Claimant’s interpretation of GDPR Article 27 would make a representative the local embodiment of a foreign controller, an entity within the jurisdiction on which the GDPR could bite with legal force to ensure data subjects have an effective remedy for the purposes of compliance with the GDPR.

The Defendant argued that data subjects’ rights and remedies in respect of foreign data controllers are already enforceable against them in the normal way that any rights are enforced extra-jurisdictionally.

An interesting point was made by leading Counsel for the Defendant that “bad guys do not appoint Article 27 representatives”. In other words, the decision by a foreign controller to appoint a representative is a signal of good intent.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.