Since the General Data Protection Regulation (GDPR) came into force in May 2018, foreign data controllers caught by the GDPR’s extra-territorial effect (i.e. those offering goods or services to EU citizens) have been required to appoint a European representative under Article 27 of the GDPR. Following the end of the Brexit transition period, this requirement also now applies to data controllers based in the UK with no branch, office or other establishment in any other EU or EAA state.

Up until very recently, the question of whether an Article 27 Representative could be sued in place of a data controller was something that had troubled practitioners, data controllers and Article 27 Representatives alike. There was very little by way of guidance on the topic and it had not been judicially considered.

Thankfully, the High Court has now had to grapple with the issue. In the case of Sansó Rondón v LexisNexis Risk Solutions UK Limited [2021] EWHC 1427 (QB) the Court held that the GDPR does not create “representative liability”. This means that an Article 27 Representative does not step into the shoes of its appointing data controller when it comes to liability for data protection breaches and it cannot be sued instead of the data controller.

The decision brings welcome clarity and will no doubt herald a sigh of relief from Article 27 Representatives and foreign data controllers, especially those data controllers who have appointed an EU subsidiary company as their Article 27 Representative.