MR BALDO SANSÓ RONDÓN – Court Ruling (United Kingdom, 2021)

A data subject objected to US company WORLD COMPLIANCE INC processing and sharing their data. The data subject brought their claim against LEXISNEXIS RISK SOLUTIONS UK LTD which was designated by WorldCo’s as its representative in the UK according to Article 27 GDPR. The court ruled that the purpose of Article 27 GDPR is primarily to make it easier for data subjects and enforcement bodies to contact and communicate with an out-of-jurisdiction controller. Representatives mandated by controllers do not ‘step into the shoes’ of controllers to create the sort of ‘representative liability’ argued for by the data subject. The Claimant had given weight to the final sentence of GDPR Recital 80 which states: “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”. However, the court preferred the following guidance provided by the European Data Protection Board (EDPB): “The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and article 58(1) a of the GDPR.” In other words, a representative can only be held responsible for its own obligations, not for the actions of the controller or processor that appointed it.