by Kelly Hagedorn and Matthew Worby
Companies not established in the UK who process the personal data of UK-based individuals are required to appoint a representative in the UK pursuant to Article 27 of the UK GDPR. This requirement may become less practical (and more expensive), depending on the outcome of a UK Court of Appeal case between Baldo Sansó Rondón and LexisNexis Risk Solutions. The case will reportedly be heard in early 2022.
This case relates to the appointment of representatives under the EU GDPR, but will have significant impact in the UK because the UK GDPR framework contains an identical requirement to appoint a UK-based representative. As noted below, it will be interesting to see how EU jurisdictions subsequently interpret the liability of Article 27 Representatives required under the EU GDPR, in light of the UK paving the way on this issue.