It is well known that the UK GDPR has a reach beyond the borders of the UK. Article 27 of the UK GDPR is just such an example of how the legislation can impact organisations that are not based in the UK but wish to do business in the UK. Before getting into the effect of Article 27, it is important to note what activities Article 27 applies to.
This is set out in Article 3(2), which states:
“2. This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.”
The second of these activities is fairly far-reaching itself when set in the context of apps such as Facebook, Instagram, and the like, as these companies clearly track behaviour with a view to conducting targeted marketing campaigns on behalf of their customers. When the above two categories are put together, it is difficult to envisage very many websites that would not be caught by the above definition.
Article 27 places on businesses caught by Article 3(2) to ‘designate in writing a representative in the United Kingdom’.
The representative appointed…
‘shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities the Commissioner and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation’.
Accordingly, the representative will be responsible for seeking compliance with UK GDPR on behalf of the data controller. This should not however be mistaken for the representative stepping into the shoes of the data controller and thus adopting liability for a breach of the UK GDPR by the data controller.
This was the issue considered by the Courts in Sanso Rondon v Lexis Nexis Risk Solutions UK Ltd .
Sanso Rondon v Lexis Nexis Risk Solutions UK Ltd
Mr Sanso Rondon (Rondon) brought a claim against Lexis Nexis Risk Solutions UK Ltd (Lexis) alleging a breach of his rights in respect of the processing of his data by a US-based company called World Compliance Inc (WCI), which had appointed Lexis as its representative under Article 27. Rondon claimed that, as a representative of WCI, Lexis should be equally liable for breaches of UK GDPR by WCI on the basis of Recital 80 to the UK GDPR, which includes the following:
“The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”
In striking out Rondon’s claim on the basis that it had no prospect of success, Mrs Justice Collins Rice stated:
“I find no positive encouragement for ‘representative liability’ anywhere other than the last sentence of Rec.80. I find no strong compulsion there. If I did, then in all of the circumstances rehearsed in this analysis I would in the end have found ample justification for two simple conclusions: that if the GDPR had intended to achieve ‘representative liability’ then it would necessarily have said so more clearly in its operative provisions; and that it is a proposition on any basis too weighty to be blown in by the ‘interpretative sidewind’ of the last sentence of Rec.80.
In these circumstances, my conclusion is that the interpretation of Art.27 contended for by the Claimant is over-extended and under-supported, and that contended for by the Defendant is to be preferred as more consistent with the letter and spirit of the GDPR.”
How can we help?
Should you wish to discuss whether Nelsons would be able to assist you by acting as your Article 27 representative, please do not hesitate to Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.Contact us