In the event that an organization under the jurisdiction of a country outside the EU/EEA processes personal data that falls within the scope of the GDPR and does not have its own establishment in the EU, it must designate, in writing, a Representative established in the EU (Art. 27, GDPR), with limited exceptions.
The first question that arises in these circumstances is to clarify what scope of responsibility the EU Representative comes to assume.
Scope of liability
The scope of the Representative’s legal liability is divided into:
- liability for breach of contract, arising from any breach of the obligations assumed under the mandate contract signed with the non-EU company
- liability for breach of the GDPR attributable to the Representative.
A. Contractual liability for breach of contract
Contractual liability arises in the event of non-compliance with the terms of the mandate contract by the representative and is effective towards the foreign company represented. This liability may be regulated in the mandate itself and, in general, if the prerequisites are met, may justify an action for damages brought by the foreign company against the representative.
B. Liability for breach of the regulation
If, on the one hand, the contractual liability of the Representative is not open to question, there are more doubts about the liability arising from a breach of the regulation attributable to the Representative.
Vicarious Liability for violations of the non-EU company
First, liability of the Representative for any non-compliance by the controller or processor (i.e., the represented foreign organization) seems to be excluded. Outside of the limited circumstances of liability for breach of obligations that the GDPR directly imposes on the Representative, as noted below, the Representative does not appear susceptible to sanction for non-compliance with the regulation by the represented company. As noted by the EDPB, “The GDPR does not establish a substitutive liability of the Representative in place of the controller or processor it represents in the Union.” (Guidelines 3/2018); meaning that the Representative is neither jointly nor severally liable for any non-compliance by the represented firm.
In this regard, the changes made by the EDPB in version 2.0 of 12/11/2019 of its Guidelines 3/2018, following public consultation, appear to be emblematic. The first version of the document had a final paragraph that read as follows: «It should however be noted that the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.» (emphasis added.)
Version 2.0, adopted after public consultation, corrected the text on this point as follows: «It should however be noted that the concept of the representative was introduced precisely with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union. This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative, in accordance with articles 58(2) and 83 of the GDPR. The possibility to hold a representative directly liable is however limited to its direct obligations referred to in articles 30 and article 58(1) a of the GDPR»(emphasis added.)
English High Court Position
In a similar sense to that of the EDPB, the English High Court, in its judgment of 28/05/2021, has pronounced itself clearly indicating that the EU representative is not responsible for the non-compliance of data-processing by the controller or the processor. According to the judges of the High Court there is no legal basis for bringing the action against the EU Representative (in the case, Lexisnexis) of the Data Controller (WorldCo), so that the application was rejected.