Article 27 Interpretation: what happens with a GDPR data breach when there is no EU/UK establishment?

A recent judgment handed down in the case of Sanso Rondon v LexisNexis Ltd [2021] EWHC 1427 (QB) has helped to clarify the position on the liability of Article 27 Representatives in the event of a breach of the GDPR by a data controller or processor with no EU establishment.

What is an Article 27 Representative?

Under the GDPR, companies that have no establishment in the European Union but process personal data of data subjects who reside in the EU, are required to appoint what is called an ‘Article 27 Representative’. The Article 27 Representative must be established in an EU member state and has the responsibility for representing the controller or processor on all issues pertaining to the processing of personal data for the purposes of compliance with the GDPR.

Upon Brexit the GDPR was transposed into UK law (UK GDPR) and therefore under UK GDPR the same principles apply. Therefore, under UK GDPR, a company that processes the personal data of residents of the United Kingdom must appoint a UK based Article 27 Representative if that company has no UK establishment itself.

Therefore, companies that process the personal data of EU and UK residents will be required to have an Article 27 Representative in both the UK and the EU.

Significance of Sanso Rondon v LexisNexis Risk Solutions UK

This case involved the processing of the Italian-based Claimant’s (Mr Sanso Rondon) personal data by a US based company named World Compliance Inc (WorldCo). WorldCo had appointed LexisNexis Risk Solutions UK (LNUK) as their Article 27 Representative for the purposes of the GDPR.

Mr Rondon alleged that that WorldCo’s processing of his personal data had breached the GDPR and subsequently sought various remedies against LNUK, WorldCo’s Article 27 Representative, on the basis of this alleged breach. Mr Rondon’s view was that LNUK was to all intents and purposes the embodiment of WorldCo in the EU for data protection enforcement purposes, and therefore they were liable for WorldCo’s alleged breaches under the GDPR. This argument relied heavily on the wording of Recital 80, which states that representatives, “should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.

LNUK disputed this interpretation of the GDPR and applied for the claim to be struck out, or for summary judgment to be entered in their favour on the basis that there was no realistic prospect of success as they were the wrong defendant. LNUK argued that as an Article 27 Representative, they were no more than a point of contact for WorldCo and held no representative liability for any breaches of GDPR by WorldCo.

Both parties agreed that there was no guidance in relevant EU case law.

The findings of the court

The judge held that when looking at Article 27 and the GDPR, there was “no basis in law” for the claim to be brought against LNUK and that Mr Rondon’s case was “over-extended and under-supported”.

The judge stated that she could find, “no positive encouragement for representative liability anywhere other than the last sentence of Recital 80”.

In coming to these findings, the court held that if the GDPR had intended to apportion representative liability onto Article 27 Representatives, then it would have stated this “more clearly in its operative provisions”. Therefore, to apportion representative liability on an Article 27 Representative was to put too much weight on the last sentence of Recital 80.

The court further highlighted that while Article 27 Representatives play an important part in the “furtherance of securing compliance, and of promoting co-operation”, due to the lack of control they have over the data in question they are not “standing in the shoes of the controllers for enforcement and remedial purposes” with the judge specifically noting that:

“The enforcement powers of the courts and the ICO mirror the full range of the duties of controllers and processors which are imposed because of the power they have on a day to day basis over how and why data are processed. A representative does not have that; it is not constituted as a controller or processor in its own right.”

Consequently, in striking out Mr Rondon’s claim, the judge found that representative liability could not be apportioned to an Article 27 Representative under the GDPR, and therefore the remedies sought could not be obtained from LNUK. It should be noted that while this case related to EU GDPR, the principles in this judgment should theoretically also apply in the same way under UK GDPR.

This ruling will come as a relief to Article 27 Representatives, and does clarify an area of the GDPR and UK GDPR in respect of which there had been some uncertainty. The decision is pragmatic and sensible, and one to be welcomed. However, the Claimant has been granted leave to appeal, so there remains the possibility that this decision may be reversed; however, for the time being, we have some clarity on an area of the GDPR which has been puzzling lawyers for some time.