Dutch DPA fines company for failure to designate an EU representative
We recently wrote about the role of the representative within the context of EU GDPR legislation, now the UK is no longer part of the EU. To recap...
As things stand the EU GDPR has been incorporated into UK data protection law. This means that companies that complied with EU GDPR prior to 31st December 2020 will still comply with UK GDPR now that the transition period has ended.
There are, however, two key factors that may need to be considered on top of this. First, the issue of data flow between the EU and the UK, which was agreed in December 2020 by the EU and UK and forms the Trade and Cooperation Agreement. Second, the obligation organisations have to appoint a representative in the EU and UK.
We concluded our article by stating that:
This is a complicated set of requirements with many areas still under review. EU companies may now need to consider appointing a UK representative if they are targeting UK individuals. Similarly, UK companies may now need to assess whether they are required to appoint an EU representative, now that they have become a ‘third country’ from an EU perspective. Finally, those companies outside of both the UK and EU may need to consider whether they need to appoint two representatives, to satisfy both UK and EU law. UK-based representatives, used previously to satisfy the EU requirements may no longer be suitable.
On 12th May 2021, however, this subject became very real when the Dutch Data Protection Authority fined Locatefamily.com (a Canadian company) €525,000 for failure to comply with the obligation imposed under Article 27 of the EU General Data Protection Regulation to appoint a representative in the EU.
The Dutch DPA found that Locatefamily.com (an online platform involved in publishing individuals’ contact details online) was publishing telephone numbers and addresses often without ensuring that individuals were aware that this was happening, or ensuring that they had registered to do so.
Following numerous complaints the Dutch DPA not only found that Locatefamily.com had failed to comply with data erasure requests but that (despite operating there) they did not have establishments in the EU and did not appoint a representative there, thereby making it difficult for data subjects to exercise their data protection rights.
As a result, the Dutch DPA imposed a €525,000 fine against Locatefamily.com as well as an order to appoint a representative by a certain date. This was ordered subject to a penalty if not actioned.
Article 27(2)(a) of the GDPR sets out clear requirements about whether companies need to appoint a representative or not. You can read more about this in our previous article. For more information about this or other data privacy matters please contact one of our specialist lawyers here.
Did you know that we specialise in working with SaaS businesses? As a part of this we’re offering a free GDPR Customer Readiness Assessment so that we can show you where there may be issues to be addressed and how to address them. If you’d like to take us up on this offer please contact Piers Clayden directly on firstname.lastname@example.org.