Failure to appoint an EU representative results in €525,000 fine by Dutch Data Protection Authority
On 12 May 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DDPA) announced its decision to fine Locatefamily.com €525,000. The fine was applied for Locatefamily.com’s failure to appoint a GDPR representative in the EU. The DDPA also ordered the company to remedy this shortcoming within 12 weeks, failing which it would impose an additional penalty of €20,000 for every two weeks of non-compliance (up to a maximum of €120,000).
A number of other Data Protection Authorities were involved in the DDPA’s Locatefamily.com case, indicating that this is a topic of interest not just in the Netherlands but for regulators around the EU.
Companies not established in the EU are therefore advised to assess (or re-assess) whether they need to appoint a GDPR representative in the EU. Broadly, this will be the case for any entity which offers goods or services to data subjects in the EU or monitors the behaviour of data subjects in the EU.
Locatefamily.com offers a platform for individuals who are looking for the contact details of people they lost track of by providing personal information such as name, address and sometimes a phone number.
Locatefamily.com offers this information to any interested party free of charge on a website which is publicly accessible, and which contains data of both EU and non-EU residents. Locatefamily.com obtains information from various sources such as social media accounts, government records and telecommunication providers, all without the individuals concerned having to become members of the platform or create an account.
Since the GDPR came into force, the DDPA has received a number of complaints about Locatefamily.com. These range from issues raised by individuals wishing to exercise their rights, non-compliance such as the lack of a GDPR representative to more general privacy concerns about the purpose of the website and its potential to facilitate stalking.
The Extra Territorial effect of the EU GDPR
In the relatively brief fining decision, the DDPA comes to the conclusion that Locatefamily.com is the controller for the processing of the individual contact details on its platform, which includes information on individuals in the EU. The DDPA further concludes that these services are partially aimed at EU residents and are offered in multiple EU member states, and that as a consequence, the GDPR applies to Locatefamily.com by virtue of article 3(2)(a) GDPR. This article describes that the GDPR “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
The direct consequence of the GDPR applying to Locatefamily.com is that based on article 27 GDPR, Locatefamily.com is required to appoint a representative that is based in the EU, as it could not rely on the limited exemptions to this requirement. We note that pursuant to Article 27(2) the requirement does not apply to (a) processing which is occasional, does not include large scale processing of special categories of data that does not result in a risk for individuals, or (b) a public authority or body.
Under the GDPR a representative functions as an interlocutor for organisations that are not established in the European Union, for example in discussions with supervisory authorities and individuals. The GDPR makes clear that the designation of a representative by the controller or processor is without prejudice to legal actions which could be initiated against the controller or the processor themselves.
Fine and Order under Penalty
For the violation of article 27 GDPR, the DDPA imposed a fine of €525,000.
The DDPA is unlikely to deviate from the base amounts it has set for violations of the GDPR, which range from €100,000 for the lowest Category I (which applies for example to a violation of article 26 GDPR on joint-controllers or not seeking the views of data subjects or their representatives in case of a DPIA as per article 35(9) GDPR) to €725,000 for Category IV violations (which apply for example to a violation of article 9 GDPR containing the general prohibition to process sensitive personal data). To be clear, the DDPA could still impose the GDPR’s maximum penalty of €20 million or 4% turnover, but this seems to be an option only in exceptional cases.
To force Locatefamily.com to appoint a representative, the Regulator also imposed an order subject to a penalty. The company had until 18 March 2021 to appoint a representative in the EU. For every 2 weeks that the order was not complied with, the company would be required to pay €20,000, with a maximum of €120,000. In the press release of 12 May 2021, the DDPA confirmed that to its knowledge Locatefamily.com did not appoint a representative on time, and the maximum additional fine of €120,000 will be due in addition to the initial fine.
For Your Company
Companies that are not established in the European Union but might have customers or users in the EU or otherwise process personal data relating to EU data subjects are strongly advised to (re-)assess whether they need an EU representative. With this case the DDPA in particular, but also the other DPAs that provided assistance, such as the French CNIL and Irish DPC, have sent a signal to such companies that EU data protection laws have a wide applicability and can extend far beyond the EU’s borders.
Please contact our team at firstname.lastname@example.org if you would like to discuss the above or the process of appointing a GDPR EU Representative for your company.
Talk to us today
Your GDPR Representative