Spotlight on Requirement to Appoint an EU Data Protection Representative
Tuesday, November 30, 2021
EU Data Protection Representative
Print Mail Download i

Under the EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act 2018 (UK GDPR) (together the GDPR), even if an organisation is not established in the European Economic Area (EEA) or United Kingdom it must appoint a Data Protection Representative (DPR) based in an EU member state and/or in the UK if they:

  • process an individuals’ personal data who is located in the EEA and/or UK; and
  • offer goods/services to those individuals in the EEA and/or UK or monitor their behaviour.

Failure to comply may result in fines that can amount up to €20,000,000 or 4 percent of worldwide turnover (whatever is higher) from the relevant regulators, as well as being at risk from potential claims from individuals whose data is breached.

Online platform Locatefamily.com, unfortunately learnt this the hard way. The platform does what it says on the tin, it helps individuals find long lost family members. The platform publishes personal data including names and contact information of European citizens, on occasion without their knowledge or consent — a clear breach of modern day data protection rights.

The Dutch Data Protection Authority (Dutch DPA) was notified of Locatefamily.com’s activities after receiving numerous complaints from Dutch citizens. Following an investigation, the Dutch DPA discovered the online platform did not have an EU representative, making it difficult for individuals to exercise their data protection rights (i.e., the right to be forgotten).

The Dutch DPA imposed a fine of €525,000 for the EU GDPR breach and imposed an order instructing Locatefamily.com to appoint an EU representative by 18 March 2021, or face an additional fine of €20,000 every fortnight up to a maximum of €120,000 until a representative was appointed. Overall, Locatefamily.com are facing a potential fine of €645,000. To this date, it is not clear whether Locatefamily.com have appointed a DPR, their website is silent and there has been no further statement from the Dutch DPA.

Whilst historically the requirement to appoint an EU representative (and following Brexit a UK representative) by companies outside of the EEA may have been overlooked, following this decision, it is recommended that companies outside the EEA and UK paying attention to what the GDPR representative requirement may mean for them.

_______

Nicole Akinyemi, a paralegal in the Financial Markets and Funds practice, contributed to this advisory.

©2024 Katten Muchin Rosenman LLP

Current Legal Analysis

More from Katten

UK HMT Publishes Policy Paper on its Approach to Designation of Critical Third Parties
by: Nathaniel W. Lalone , Ciara McBrien
UK FCA Publishes Guidance on Social Media Financial Promotions
by: Neil Robson , Carolyn H. Jackson
FCA Proposes ‘New’ Option for Investment Research Payments – Back to Bundled Payments?
by: Neil Robson , Sara Portillo
Tennessee Expands Right-of-Publicity Statute to Cover AI-Generated Deepfakes
by: Amelia E. Bruckner
NYDFS Cybersecurity Regulation Deadlines Approaching on April 15 and April 29
by: Trisha Sircar
Cybersecurity Administration of China Issues Relaxed Rules for Cross-Border Data Transfers
by: Trisha Sircar
TMA Chicago Midwest Podcast Hosted by Paul Musser | Judge Timothy A. Barnes on Bankruptcy Trends and His Path to the Bench [Podcast]
by: Paul T. Musser
New York Attorney General Sues JBS for Alleged Greenwashing
by: Christopher A. Cole
Third Circuit Says Statutory Trusts are ‘Covered Persons' Under Consumer Financial Protection Act
by: Chris DiAngelo , Christina Grigorian
International Retail Platforms – Geo-Personalisation, a Double-Edged Sword?
by: Sarah Simpson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins