It hit the news recently that the Dutch data protection authority (the Autoriteit Persoonsgegevens) issued a fine of €525,000 against Locatefamily.com, a company believed to be based in Canada, for failing to appoint an EU representative for data protection purposes.
In this article we explore the decision, look at what an EU representative is and why you might need to appoint one for your organisation.
The requirement to appoint an EU Representative for Data Protection
The requirement to appoint an EU representative is enshrined in the General Data Protection Regulation 2016 (GDPR) and is part of the extra-territorial effect of GDPR.
Under Article 27 of GDPR, data controllers or processors that are not established in the EEA but still offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA must appoint an EU representative for the purposes of GDPR, unless one of the limited exceptions applies.
For more detailed information on appointing an EU representative please see my previous article here.
The decision
Locatefamily.com had failed to make an appointment under Article 27 and following a series of complaints about its conduct it was fined €525,000 by the Dutch data protection authority for this failure. In addition to the main fine, the company has been given 12 weeks to appoint an EU representative and if it fails to do so within the prescribed 12 week period it will face further fines of €20,000 for each fortnight it fails to appoint a representative, up to a total of €120,000.
Locatefamily.com is a platform which allows people to search for the contact information of family members or other people that they wish to contact.
The company claimed they had no business relationships in the European Union, were not situated in any country of the European Union and did not offer goods or services to the European Union. Despite their assertions, the Dutch data protection authority carried out its own investigation and determined Locatefamily.com’s data processing activities were within the scope of GDPR and as a result they needed to appoint an EU representative.
Amongst other duties, an appointed EU representative is responsible for liaising with data subjects and data protection regulators on behalf of the organisation that has appointed them. The Dutch data protection authority was particularly concerned, having already raised concerns about the fact that individuals’ contact details were being published on the platform, often without their permission or knowledge. By failing to appoint an EU representative, data subjects had no one to contact to get their data removed from the platform and no one in the EU to contact to assert their data protection rights.
But the UK has left the EU, so why does it matter?
Yes, following the end of the transitional period the UK is now outside of the EU and the EEA and UK businesses are now subject to UK-GDPR and the Data Protection Act 2018. However, many businesses will still be subject to EU GDPR where their data processing relates to EU citizens (either by offering goods or services to them or by monitoring their behaviour), so it is important that businesses do not forget that they may need to comply with both UK-GDPR and EU GDPR as well as any other local requirements in particular countries which may also apply to them.
UK based data controllers or processors who do not have offices, branches or other establishments in the EEA but still offer goods or services to individuals in the EEA or monitor the behaviour of individuals in the EEA, need to consider whether or not they needed to appoint an EU representative to comply with Article 27 of GDPR. Having a base in the UK will no longer qualify as an “establishment” in the EEA for the purposes of GDPR.
Conclusion
The decision from the Dutch data protection authority is a timely reminder and warning for UK businesses not to overlook the requirement to appoint an EU representative if needed and will be particularly important for those doing business internationally (which will be the case for most businesses offering services via the internet).
This is a complex and changing area of the law so we recommend that those businesses who are offering goods or services to individuals in the EEA or are monitoring the behaviour of individuals in the EEA carefully consider whether or not they need to appoint an EU representative and seek specialist legal advice before doing so.