June 30, 2022

Volume XII, Number 181

Advertisement
Advertisement

June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

Spotlight on Requirement to Appoint an EU Data Protection Representative

Under the EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act 2018 (UK GDPR) (together the GDPR), even if an organisation is not established in the European Economic Area (EEA) or United Kingdom it must appoint a Data Protection Representative (DPR) based in an EU member state and/or in the UK if they:

  • process an individuals’ personal data who is located in the EEA and/or UK; and
  • offer goods/services to those individuals in the EEA and/or UK or monitor their behaviour.

Failure to comply may result in fines that can amount up to €20,000,000 or 4 percent of worldwide turnover (whatever is higher) from the relevant regulators, as well as being at risk from potential claims from individuals whose data is breached.

Online platform Locatefamily.com, unfortunately learnt this the hard way. The platform does what it says on the tin, it helps individuals find long lost family members. The platform publishes personal data including names and contact information of European citizens, on occasion without their knowledge or consent — a clear breach of modern day data protection rights.

The Dutch Data Protection Authority (Dutch DPA) was notified of Locatefamily.com’s activities after receiving numerous complaints from Dutch citizens. Following an investigation, the Dutch DPA discovered the online platform did not have an EU representative, making it difficult for individuals to exercise their data protection rights (i.e., the right to be forgotten).

The Dutch DPA imposed a fine of €525,000 for the EU GDPR breach and imposed an order instructing Locatefamily.com to appoint an EU representative by 18 March 2021, or face an additional fine of €20,000 every fortnight up to a maximum of €120,000 until a representative was appointed. Overall, Locatefamily.com are facing a potential fine of €645,000. To this date, it is not clear whether Locatefamily.com have appointed a DPR, their website is silent and there has been no further statement from the Dutch DPA.

Whilst historically the requirement to appoint an EU representative (and following Brexit a UK representative) by companies outside of the EEA may have been overlooked, following this decision, it is recommended that companies outside the EEA and UK paying attention to what the GDPR representative requirement may mean for them.

_______

Nicole Akinyemi, a paralegal in the Financial Markets and Funds practice, contributed to this advisory.

©2022 Katten Muchin Rosenman LLPNational Law Review, Volume XI, Number 334
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Christopher Hitchins, Katten Muchin London UK, investment documentation attorney, labor disputes management lawyer
Partner

Christopher Hitchins focuses his practice on the full range of employment law issues, acting for employers or senior individuals in a wide range of sectors, with a particular focus on the financial services, technology, hotel, retail and media industries.

Chris advises on all contentious and non-contentious UK employment law matters. He has significant experience advising on senior executive employment, partnership and investment documentation, managing disputes and exits as well as team moves, advising businesses on restructurings involving the...

44 (0) 20 7776 7663
Trisha Sircar Privacy, Data and Cybersecurity Attorney Katten Muchin Rosenman New York, NY
Partner

The value of data as an asset has increased substantially in today's global digital economy. In the high-stakes environment of global intellectual property and technology services, businesses, consumers and individuals need protection. With more than a decade of experience in helping to protect a wide range of businesses — including one of the world's largest insurance companies — Privacy, Data and Cybersecurity partner Trisha Sircar provides practical guidance and creative solutions regarding global privacy and data security risks and compliance issues.

Operating at the...

212.940.8532
Sarah Simpson, Katten Law Firm, London, Intellectual Property Attorney
Associate

Sarah Simpson is an associate at Katten Muchin Rosenman UK LLP. Sarah practices commercial and intellectual property law, with a particular focus on EU and UK trademarks, brand protection, copyright, design rights, data protection, commercial contracts, regulatory and general commercial matters. She has experience of advising clients in the fashion, fashion-technology, luxury brands, retail, consumer goods, financial technology and education sectors. Sarah advises both local and international clients.

440-207770-5238
Dagatha L. Delgado Intellectual Property Attorney Katten Muchin Rosenman New York, NY
Staff Attorney

Dagatha Delgado helps clients get the most out of cutting-edge innovations and address the privacy, data protection and cybersecurity challenges that arise from an ever-changing digital world.

Dagatha helps provide advice on privacy and technology matters, including compliance with rapidly evolving privacy and cybersecurity laws, and engaging and managing IT and cloud service providers. As a member of Katten’s data breach response team, Dagatha also steps in to help clients respond to and recover from data breaches and security incidents.

Guidance on privacy compliance and...

212.940.6350
Jeremy Merkel Privacy, Data & Cybersecurity Attorney Katten Muchin Rosenman New York, NY
Associate

Jeremy Merkel counsels businesses and organizations across a range of industries on privacy and data security matters. Combining his knowledge of the cybersecurity landscape with his technical experience, Jeremy is a trusted advisor to companies during the critical moments of identifying and responding to data security incidents. From the moment a breach is identified, Jeremy leverages resources to understand the scope of an incident, assess the risk to data and sensitive information and mitigate legal exposure.

The legal framework of privacy and data security laws is constantly...

212-940-6339
Advertisement
Advertisement
Advertisement