This article explores the topic of appointed representatives under Article 27 of the GDPR. What are they? When do you need one? How is regulatory enforcement starting to play out in the EU and in the UK on this issue? We have now seen what we believe is the first fine under the EU GDPR for failing to appoint an EU representative. This highlights the risks faced by UK-based businesses subject to EU GDPR who have yet to nominate an appropriate EU-based Article 27 representative. At the same time, the UK courts have recently examined the extent of responsibility that can be undertaken by an Article 27 representative, also shedding light on the approach of the courts to EDPB guidance post-Brexit.
The concept of the Article 27 representative (“Representative”) is common to both the UK GDPR and the EU GDPR (the EU General Data Protection Regulation (2016/679)). It is key part of the mechanism by which the territorial reach of the legislation – and its enforcement - is extended beyond the borders of the UK (in the case of the UK GDPR) or beyond the EU (in the case of the EU GDPR).
Under the UK GDPR, a Representative is an individual, company or organisation located in the UK which is “designated in writing” by an entity which lacks a UK presence but which is nevertheless subject to the UK GDPR under Article 3(2). This can happen for example where, as explained below, the appointing entity is targeting the offer of goods or services to individuals who are located in the UK. The obligation to appoint a Representative applies to processor entities as well as controller entities.
A Representative is mandated (usually under a written service contract) to act on behalf of the appointing entity with regard to certain of its obligations under the UK GDPR or EU GDPR as the case may be. In the UK this would primarily involve facilitating communications between a non-UK established entity and the UK’s supervisory authority, the Information Commissioner’s Office (“ICO”) or with any affected data subjects in the UK.
Once appointed, an organisation that is a “controller” is required to provide data subjects with the identity and contact details of its Representative in accordance with Articles 13 and 14.
Organisations that are based outside of the UK and which do not have a branch, office or other establishment in the UK are required to comply with UK GDPR in accordance with Article 3(2) where they process personal data in relation to:
Complying with the UK GDPR means that such an organisation is required to appoint a Representative in the UK unless the organisation’s processing:
Public bodies or authorities are not required to appoint a Representative.
The EU GDPR applies a substantially identical set of rules.
Representatives, whether based in the UK or the EU, are required to act as a contact point for both data subjects and relevant data protection authorities. Typically Representatives will also play a role in communicating data breach notifications. Representatives are also required to hold and maintain a copy of the record of processing activities (“ROPA”) of the organisation which appointed them, and to provide it to a supervisory authority on request.
It is recommended that organisations appoint privacy professionals with previous experience in interacting with both supervisory authorities and handling data subject requests. For EU-based Representatives, local language skills are likely to be of importance as they could receive contact from individuals or regulators from a range of countries in that region.
Guidance from the EDPB1 states that the role of Representative is not compatible with that of Data Protection Officer (“DPO”) under Article 37 because a Representative is under direct instruction from the appointing entity whereas a DPO requires a level of independence and autonomy within the organisation. A Representative therefore cannot also serve as the DPO. In addition, the EDPB recommends that a processor appointed by an organisation should not also serve as its Representative in order to avoid any possible conflicts of interest or obligation in cases of enforcement. This guidance is not binding in the UK but is likely to be influential on the ICO.
Designating a Representative does not affect the responsibility or liability of the appointing entity for its own data protection breaches or failings. The Representative does have some direct responsibilities under the legislation however these are fairly narrow under the UK GDPR and limited to matters related to the ROPA (Article 30) and other information ordered to be provided by the ICO (Article 58(1)(a)).
Under the UK GDPR, the Representative should, of course, be in the UK.
Under the EU GDPR, this is more nuanced. A Representative should be located in one of the EU Member State where individuals whose personal data are being processed, are also located. When selecting the location (and qualities), an organisation will want to ensure that the Representative is in a position to communicate efficiently with supervisory authorities and data subjects in the appropriate languages.
The end of the Brexit transition period on 31 December 2020 triggered the following potential changes in terms of the obligation to appoint a Representative for affected organisations:
On 12 May 2021, the Dutch Data Protection Authority (“DPA”) publicised the fine of €525,000 it imposed on the website Locatefamily.com in December 2020 for the website’s failure to have a Representative in the EU. This website publishes names, home addresses and telephone numbers of some 700,000 Dutch citizens, often without the knowledge of the data subject and the DPA had received dozens of complaints from concerned members of the public.
As the website operator did not have an EU Representative, anyone wanting to remove their details from the site is unable to do so very easily. In tandem with the fine, the DPA also imposed an order requiring the operator to designate a representative in the EU by March 18, 2021, failing which, it will be liable to pay €20,000 for every 2 weeks it is without a Representative, up to a maximum of €120,000. The DPA was concerned that publication of phone numbers and addresses without knowledge or consent of the relevant individual was unacceptable and could expose individuals to identity fraud or harassment. The fact there was no easy way to demand removal of the information, compounded the risk of harm an individual might suffer, leading to imposition of the fine. The website is international in its coverage and number of other European DPAs reportedly worked with the Dutch regulator in investigating the company.
The recent case of Rondon v LexisNexis Risk Solutions UK Ltd  EWHC 1427 confirms that a Representative cannot be sued in the UK for its controller’s (alleged) failure to comply with UK GDPR. An individual issued proceedings in the UK against a UK-based data analytics business (LexisNexis Risk Solutions), which had been appointed Representative for a US-based company that, as a function of the activities it undertakes in the EU and UK, is required to appoint a Representative in the UK. The Representative was sued in the UK by an individual, and was successful in having the claim against it struck out, on the basis the Representative was not liable to the individual for the controller’s alleged GDPR breaches.
The English High Court considered the recitals of the GDPR, the scope of the obligations set out in the operative provisions of GDPR, EDPB guidelines 3/2018 as well as correspondence between the parties and the ICO. The judge carefully examined the policy framework and rationale for the Article 27 requirement, noting that the appointment of a Representative is ‘an important signal that the controller is engaging with the GDPR.’
While the judge was not willing to impose liability on the Representative for the controller’s alleged breach, he made some interesting comments on the ambit of the Representative’s role. He noted that: ‘the picture which emerges is of a considerably fuller role than a mere postbox 'to be addressed'. Even the language of 'conduit' or 'liaison' does not fully capture the job the GDPR gives to representatives. The role is an enriched one, active rather than passive. At its core is a bespoke suite of directly-imposed functions. These are crafted to fit together with, …the relationships between controller, ICO and data subject. The job focuses on providing local transparency and availability to data subjects, and local regulatory co-operation. And the appointment is of course an opportunity for foreign controllers to give representatives any other ambassadorial - 'shop window' or customer-facing - functions, additional to the core 'mandate' functions, as they consider desirable demonstrations of their compliance credentials.’
The judge noted that the overall scheme of the GDPR was silent as to enforcement against a Representative (with no mention made in Article 82 about Representatives being liable to compensate data subjects, as controllers and processors are). Allied to this, EDPB guidelines 3/2018 make clear that appointment of a Representative does not affect the responsibility and liability of a controller or processor and that GDPR does not establish a ‘substitutive’ liability of the Representative in place of the controller or processor it represents.
The ICO also responded to the parties in this dispute, confirming its view that the Representative’s role is limited to that of conduit of communications between the overseas entity and the ICO or relevant data subjects. The UK Data Protection Act 2018 is also silent as to the ability of the ICO to issue enforcement notices to Representatives, indicating no intention for Representatives to shoulder liability.
This decision, so soon after the Dutch DPA’s decision (discussed above) provides helpful clarity about the responsibilities a party will – and will not - be taking on when acting as a Representative. As a means of showing commitment to GDPR compliance, there is nothing to prevent a controller from ‘gold plating’ its Representative appointment, e.g. by empowering its Representative to take a more active role in customer-facing activities, to the extent this serves its compliance goals.
The UK’s data protection regime looks set for a period of change in 2021, notwithstanding the significant impact already brought about by Brexit. Businesses with UK operations or customers will need to be alert to these regulatory changes and monitor developments carefully, and should also take note of the size of the recent Dutch Data Protection Authority fine for non-compliance.
1 EPDB Guidelines 3/2018 on the territorial scope of the GDPR.