The ever-entertaining (but more importantly, ever-illuminating) Tim Turner has made available a recording of a webinar he did recently on the subject of representatives under Article 27 of the EU GDPR and the UK GDPR. Such representatives are required to be designated by controllers or processors who are outside the relevant jurisdiction, but who are subject to the extra-territorial provisions of Article 3(2) of EU GDPR or UK GDPR (thus, under Article 27 EU GDPR, a company outside the EU but offering goods or service to, or monitoring the behaviour of, data subjects in the EU, must appoint a representative in the EU, and under Article 27 UK GDPR, a company outside the UK but offering goods or service to, or monitoring the behaviour of, data subjects in the UK, must appoint a representative in the UK).
Tim’s webinar deals, in part, with what is expected of representatives, but also touches on their potential liability, and he points to – but doesn’t actually address – a remarkable assertion on the website of the Information Commissioner’s Office (ICO)
The EDPB’s view is that supervisory authorities are able to initiate enforcement action (including fines) against a representative in the same way as they could against the controller or processor that appointed them.
I describe this as remarkable, because it seems to completely misrepresent the guidance (of the European Data Protection Board) to which it refers (and links).
The issue of representative liability is an important one – many companies offer a contracted service under which they will act as a representative, and a commercial evaluation of such a service will inevitably need to consider whether being a representative exposes oneself to the possibility of regulatory action. Recital 80 of the EU GDPR and the UK GDPR says “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor” and much debate is there to be had on what it means. But the EDPB’s view is pretty clear, and it’s nothing like the view attributed to it by the ICO
The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union. It should however be noted that the concept of the representative was introduced precisely with the aim of facilitating the liaison with and ensuring effective enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union. This includes the possibility for supervisory authorities to address corrective measures or administrative fines and penalties imposed on the controller or processor not established in the Union to the representative… [emphasis added]
(It goes on to say that a representative will be directly liable only to the extent that it is infringing its direct obligations – namely to provide information to a supervisory authority under Article 58(1)(a) of GDPR, and to maintain a record of processing activities under Article 30.)
Whether the ICO’s assertion represents what it thinks a proper reading of the UK GDPR (including recital 80) should be, is an interesting question. The EDPB is, of course, no part of the UK GDPR regulatory and legal scheme, so ICO is free to disregard its views. What it shouldn’t be free to do though, really, is to attribute to the EDPB a position totally at odds with what the EDPB actually says.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.