In December 2020, the Dutch Data Protection Authority imposed a fine of € 525,000 on Locatefamily.com from Canada for not having a representative within the European Union. In addition to the fine, an order subject to a penalty for non-compliance of € 20.000 was imposed for every two weeks that Locatefamily.com would not designate a representative within the European Union.
Do you want to find out whether you comply with your obligations regarding designation of an EU representative? In the following blog, we explain the circumstances under which you are required to designate a representative within the European Union.
How exactly does it work?
The GDPR does not apply exclusively to controllers and processors established in the European Union. It may also apply to companies or organisations outside the EU. This is the case if an organisation processes data belonging to data subjects in the European Union and this data processing is related to offering goods or services or monitoring the behaviour of data subjects.
In that case, the organisation in question must designate a representative within the European Union. This representative represents the organisation in privacy law matters and is the point of contact for all supervisory authorities and data subjects established in the European Union. For example, data subjects may address the EU representative with requests for the deletion of personal data.
Since Brexit, the obligation to designate a representative within the EU also applies to organisations from the United Kingdom. As from 1 January 2021, the United Kingdom is considered a third country. This means that organisations and companies based in the United Kingdom must designate a representative within the European Union from this date.
What went wrong with Locatefamily.com?
Locatefamily.com is a company engaged in collecting personal data in an online database, to help people get in touch with relatives or friends with whom they have lost contact over the years. In many cases, the data subjects whose data are published are not aware that they have been included in the database and have not given their consent.
Since Locatefamily.com had not designated a representative in the European Union, it was very difficult for data subjects in the European Union – including approximately 700,000 Dutch – to find out to which party they had to address any requests for deletion. This led to dozens of complaints with the various supervisory authorities throughout the European Union. Following an investigation, the Dutch Data Protection Authority imposed a fine on Locatefamily.com of € 525,000, as well as an order subject to a penalty for non-compliance that may become as high as € 120,000.
What should you do?
The fine imposed on Locatefamily.com shows that the Dutch Data Protection Authority considers the failure to designate an EU representative to be a serious violation of the GDPR. In order to avoid any penalties, it is important for organisations from third countries to have their affairs in proper order.
If your organisation is established outside the European Union and you have not yet designated a representative, Boels Zanders will be happy to help you. We can act as your organisation’s representative within the European Union and serve as point of contact for supervisory authorities and data subjects in the Member States.
If you want to find out whether we can do anything for your organisation, please contact Monique Schreurs or another colleague of the Data Protection & Privacy Team.