UK court found that EU representatives are not liable for damages under the GDPR
It’s a judgment worth reading in full, so I highlighted what I considered the most important arguments of the court.
But basically,
– the #GDPR does not expressly establish representative liability
– neither do the European Data Protection Board nor the Information Commissioner’s Office consider representatives as directly liable if controllers or processors they represent fail in their #dataprotection obligations
– rec 80 GDPR, read as a whole with the GDPR, is not sufficient to establish such liability
– enforcement actions against foreign controllers or processors is a matter of international law: ‘the GDPR does have some jurisdictional limitations, notwithstanding the ambitions of its reach, and ultimately extra-jurisdictional enforcement is a matter of international law’. (para 86)
While I considered that representatives should be held liable for C-P damages, since it grants higher protection to DS, the judgment makes a really strong case against Reps liability.
Case (with highlights)
Art 27 – representative liability
https://www.bailii.org/ew/cases/EWHC/QB/2021/1427.html#
Great summary by Robert Bateman
https://data-protection.news/blog/newsletter10
0 comentarios