World Compliance Inc. (“WorldCo”) is a company that provides financial screening services to companies, including potential employers. WorldCo is a US company caught by the territorial jurisdiction of Article 3 of the General Data Protection Regulation (GDPR), and so it is required under Article 27 of the GDPR to have an EU representative with whom supervisory authorities can liaise about questions concern the processing of personal data. WorldCo’s designated EU representative was Lexis Nexis Risk Solutions UK Ltd (“Lexis Nexis”), a data analytics and risk intelligence business.
This case concerns Mr Rondón, who objected to his profile on WorldCo’s database. As an EU based data subject, he issued a claim against Lexis Nexis rather than WorldCo. The parties agreed that WorldCo was caught by Article 27, and that Lexis Nexis was WorldCo’s designated representative. The question that the court was left to answer was: had Mr Rondón tried to sue the wrong person?
Article 27 sets out the role and functions of ‘representatives’. It states: ‘The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with [the GDPR]’. Lexis Nexis argued that being ‘addressed’ was the key term; a representative is merely a point of contact, functioning as a liaison between a supervisory authority/data subject and the data controller or processor. It argued that a representative can no more be sued in place of a data controller than can a legal adviser in place of a client. On the other hand, Mr Rondón emphasised that a representative represents a data controller/processor ‘for the purposes of ensuring compliance’; he argued that the representative is the local embodiment of a foreign controller, on which the GDPR can bite with legal force.
To answer the question the court considered the day-to-day role of representatives and concluded that, while this was much fuller and more active than simply ‘being addressed’ (for example, a representative has record keeping functions on behalf of the controller/processor that it represents), representative liability is difficult to reconcile with the GDPR. Firstly, the court said, if liability was intended it would have been set out unambiguously and there would be no need to differentiate between a representative and a processor. Also, to stand in a controller’s shoes would mean being able to respond to data subject rights requests, including giving data subjects access to their personal data. Were a representative able to do this, it would itself be a data processor. It is unlikely this situation was ever contemplated as it is not discernibly provided for in the GDPR (or the Data Protection Act 2018). In short, as a representative carrying out activities to do with processing, but not processing itself, Lexis Nexis was not responsible for Mr Rondón’s personal data.
For controllers operating in other jurisdictions, this decision clarifies that appointing a representative neither transfers nor creates an additional ‘on-shore’ liability. A controller may directly impose specific tasks on its representative, who can undertake ‘shop window’ customer-facing functions, in addition to providing the local transparency and availability required by the GDPR. However, the controller remains in control and responsible for the content in question.
that if the GDPR had intended to achieve 'representative liability' then it would necessarily have said so more clearly in its operative provisions