- Liability of an EU representative appointed under Article 27 of the GDPR (Rondon v LexisNexis Risk Solutions)
- What are the practical implications of the opinion?
- What was the background?
- What did the court decide?
- Relevant law and guidance
- The court’s analysis
- Case details
Information Law analysis: The High Court has ruled that an EU representative appointed under Article 27 of Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR) is not directly liable for the non-compliance of the entity it represents. The representative’s liability is instead limited to its compliance with its own statutory obligations (in its capacity as such). The ruling is a pragmatic and welcome interpretation of some ambiguity within Article 27 and Recital 80 of the GDPR, which had previously caused some uncertainty. It is worth noting that, following Brexit, businesses which are based outside the EU and UK and which process personal data of EU or UK data subjects now need to consider the appointment of not only an EU representative but also a UK representative. The analysis and decision of the High Court in this case applied in the context of the EU GDPR, but it should logically apply in the same way to the liability of a UK representative under the UK GDPR. Written by Hamish Corner, partner at Shoosmiths LLP.
Sign in or take a trial to read the full analysis.
To continue reading this news article, as well as thousands of others like it, sign in to LexisPSL or register for a free trial