The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Article 27 Representatives are not liable for the acts of Controllers

7 July 2021

Rondón v Lexisnexis Risk Solutions UK Limited [2021] EWHC 1427 (QB)

The Claimant was somebody whose profile was included in a database which was designed to help subscribing businesses comply with laws combating money laundering and terrorism financing. World Compliance Inc, an American company, published and maintained that database. The American Company designated Lexisnexis Risk Solutions UK Ltd as its “representative” for the purposes of Article 27 GDPR. The Claimant sought to hold the representative liable for a variety of breaches of the GDPR which had been brought about by the inclusion of his personal data in the published database.

Recital 80 to the GDPR, which explains the policy reasons for the Articles of the GDPR, provides that “the representative should act on behalf of the controller or the processor and may be addressed by any supervisory authority”, “the designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation” and “the designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor”.

Where an organisation is controlling and processing data of European subjects outside of the jurisdiction, Collins Rice J described the role of a representative as “an enriched one, active rather than passive”, saying that “the job focuses on providing local transparency and availability to data subjects, and local regulatory co-operation” [74]. The Court held that if the Claimant was right that it could hold a representative responsible for the breaches occasioned by a controller, it would amount to an obligation on foreign data controllers of “fully on-shoring their liability… as a precondition of compliant processing” but this was not supported by the language of the GDPR [78]. Moreover, if a representative were to stand in the shoes of the controller for liability, it would “require the controller to provide remedies which involve direct access to and operations on the personal data themselves” [80].

The Court held that the representative was the wrong defendant. It was only the last sentence of Recital 80, concerning “enforcement proceedings” which gave any indication that there should be representative lianility and even that was not “strong compulsion” [101].

We understand there to be an outstanding appeal.

Further reading

Rondon v Lexisnexis

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)