High Court strikes out ‘representative liability’ claim concerning interpretation of Article 27 GDPR


Re: Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB)

The High Court has handed down an important judgment on the interpretation of Article 27 of the General Data Protection Regulation (‘GDPR’), concerning the liability of the UK representatives of data controllers based outside the UK.

The Claimant brought a claim against LexisNexis Risk Solutions in its capacity as the designated ‘representative’ of World Compliance Inc (‘WorldCo’) for the purposes of the GDPR Article 27. WorldCo owns and is the data controller of the WorldCompliance database which includes profiles of individuals, among them the Claimant. The Claimant contends that WorldCo’s processing of the data in his profile is in breach of the GDPR. The Defendant argued that an Article 27 representative cannot be held liable for the actions of the controller who appoints them and applied to strike out the claim/for summary judgment.

HELD: Claim struck out. GDPR Article 27 does not, Collins Rice J held, create ‘representative liability’. The Judge held that Article 27 is not ambiguous: it does not require Article 27 representatives to stand in the shoes of controllers for the purposes of enforcement action. Collins Rice J concluded that if the GDPR had intended to create representative liability, it would have done so more clearly; such liability could not be “blown in by the ‘interpretative sidewind’” of one sentence of Recital 80.

The Judge has granted the Claimant permission to appeal.

Lorna Skinner QCHugh Tomlinson QC and Aidan Wills were involved in this case.