The Dutch data protection supervisory authority fined a company EUR 525,000 for not appointing an EU representative. But this is only the first step of possible sanctions in the event of GDPR violations for non-EU companies.
What is an EU representative and which companies have to appoint one?
One of the main goals of the General Data Protection Regulation (GDPR) is to give individuals more control over the processing of their personal data. To achieve this goal, individuals must not only have a possibility to enforce their data protection rights, but they also need to know against whom they can exercise these rights. Controllers and processors not established in the EU, but nonetheless being bound by the GDPR pursuant to Art. 3(2) thereof, therefore have to appoint a representative in the EU as a point of contact for supervisory authorities and data subjects.
In a nutshell, the goal is to improve compliance with the GDPR in cases where a company processing data might otherwise be difficult to reach due to its location outside of the EU. Failure to appoint an EU representative can be sanctioned with administrative fines of up to EUR 10 million or up to 2 % of the total worldwide annual turnover of the preceding financial year.
In the first three years under the GDPR, data protection supervisory authorities did not sanction companies for failing to appoint an EU representative. This has changed in May 2021, when the Dutch Data Protection Authority (DPA) imposed a fine of more than half a million EUR on LocateFamily.com.
What is LocateFamily.com and what did the Dutch DPA decide?
LocateFamily.com is a webpage that collects personal data such as name, full address and phone number, and publishes them online to enable interested individuals to find friends or family members with whom they are no longer in contact. According to the company’s own information, it lists details of over 350 million people from all over the world, including personal data of EU citizens.
LocateFamily.com collects data from various publically available sources such as social media profiles and online forms and public registries; furthermore, it is purchasing transaction and telecommunication data. The webpage neither discloses the identity of the company running it nor does it inform the affected individuals that their personal data is being processed.
As a result, data subjects in several EU Member States complained to their national supervisory authorities about the processing of their personal data and its publication on the website without their knowledge or consent. Furthermore, according to the complaints, having one’s personal data removed from the online database might not always be easy to achieve.
The Dutch DPA, which led the proceedings, stated that that it is unacceptable to publish someone’s phone number online without their knowledge. It emphasized the possible negative consequences of such data processing, such as uninvited visitors appearing at one’s door. Moreover, wrongdoers could misuse the data to commit identity fraud or to harass persons over the phone.
For now, the Dutch DPA has not sanctioned these violations but has imposed a fine of EUR 525,000 merely for the failure to appoint an EU representative. Additionally, LocateFamily.com must pay a EUR 20,000 fine for every two additional weeks without such a representative, with a maximum of EUR 120,000. The Dutch DPA underlined that appointing a representative in the EU is of vital importance for data subjects to exercise their data protection rights.
An EU representative is only the first step to GDPR compliance
The obligation of non-EU companies to appoint an EU representative is often described as a “hidden GDPR obligation”, as many foreign companies are not aware of it. The Dutch DPA’s decision has shown that companies falling under the applicability of the GDPR are not exempt from enforcement of the European regulations, and that in the case of infringements, severe consequences might follow.
Hence, non-EU companies are well advised to re-assess whether they are obliged to appoint a representative in the EU pursuant to Art. 27 GDPR. Due to the very broad scope of applicability of the GDPR, many foreign companies might be obliged to do so if they do business in the EU (read more on the applicability of the GDPR to non-EU businesses).
Moreover, it should be noted that the fine of EUR 525,000 was issued merely for the failure to appoint an EU representative and not for any further data protection violation. Given the harsh words of the Dutch DPA regarding the data processing activities of LocateFamily.com, more fines are to be expected.
These proceedings demonstrate that it is essential for non-EU companies to comply with the obligations under the GDPR. Appointing an experienced and qualified EU representative is a crucial first step. The representative should be able to assist you on all GDPR relevant matters and help you make your processing of personal data GDPR compliant.
Please also note that should your company conduct business with UK clients and process their personal data, you might also be obliged to appoint a representative in the United Kingdom.