Spotlight on Requirement to Appoint an EU Data Protection Representative
Under the EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act 2018 (UK GDPR) (together the GDPR), even if an organisation is not established in the European Economic Area (EEA) or United Kingdom it must appoint a Data Protection Representative (DPR) based in an EU member state and/or in the UK if they:
- process an individuals’ personal data who is located in the EEA and/or UK; and
- offer goods/services to those individuals in the EEA and/or UK or monitor their behaviour.
Failure to comply may result in fines that can amount up to €20,000,000 or 4 percent of worldwide turnover (whatever is higher) from the relevant regulators, as well as being at risk from potential claims from individuals whose data is breached.
Online platform Locatefamily.com, unfortunately learnt this the hard way. The platform does what it says on the tin, it helps individuals find long lost family members. The platform publishes personal data including names and contact information of European citizens, on occasion without their knowledge or consent — a clear breach of modern day data protection rights.
The Dutch Data Protection Authority (Dutch DPA) was notified of Locatefamily.com’s activities after receiving numerous complaints from Dutch citizens. Following an investigation, the Dutch DPA discovered the online platform did not have an EU representative, making it difficult for individuals to exercise their data protection rights (i.e., the right to be forgotten).
The Dutch DPA imposed a fine of €525,000 for the EU GDPR breach and imposed an order instructing Locatefamily.com to appoint an EU representative by 18 March 2021, or face an additional fine of €20,000 every fortnight up to a maximum of €120,000 until a representative was appointed. Overall, Locatefamily.com are facing a potential fine of €645,000. To this date, it is not clear whether Locatefamily.com have appointed a DPR, their website is silent and there has been no further statement from the Dutch DPA.
Whilst historically the requirement to appoint an EU representative (and following Brexit a UK representative) by companies outside of the EEA may have been overlooked, following this decision, it is recommended that companies outside the EEA and UK paying attention to what the GDPR representative requirement may mean for them.
Nicole Akinyemi, a paralegal in the Financial Markets and Funds practice, contributed to this advisory.