The Dutch Data Protection Authority (the “DPA”) has recently imposed a fine of €525,000 on Locatefamily.com (“Locate Family”) following its failure to appoint a European Union (“EU”) data representative. The failure has led to a delay in mitigating a breach under the General Data Protection Regulation (“GDPR”).
This was the first enforcement taken by the DPA against a data protection breach under Article 27 of the GDPR.
SUMMARY
Locate Family, a Canadian website helping people find their missing connections, displayed both European and non-European citizens’ personal information without the data owners’ knowledge or consent. This information, defined as personal information under the GDPR, included full names, addresses, and phone numbers of the individuals. The DPA later received numerous complaints from data owners and consequently requested Locate Family to remove such identifiable information.
Locate Family faced a challenge to remove such data from the site as a result of its lack of an EU data representative. The DPA subsequently imposed a fine on Locate Family and ordered the company to designate an EU representative by March 2021 subject to a financial penalty of €20,000 for each two-week period where a representation remains absent.
Subsequently, the DPA found out that Locate Family had indeed failed to appoint the representative and imposed a fine of €525,000 for the breach.
WHAT IS AN EU DATA PROTECTION REPRESENTATIVE?
Article 27 of the GDPR requires organisations established outside the EU to designate an EU data representative if they offer goods or services to or monitor the behaviour of European individuals.
This obligation aims to provide a local contact person for EU citizens for any concerns they may have regarding their data privacy, such as the right to request for personal data to be deleted. The EU data representatives act on behalf of the data processor although they do not assume any liabilities in the event that the data processor fails to comply with the GDPR.
THE IMPORTANCE OF THE OBLIGATION UNDER ARTICLE 27
Lack of enforcement may incentivise the breach of the obligation under article 27 of the GDPR by different organisations. However, the case relating to the Locate Family demonstrated that the EU data protection authorities do in fact monitor whether organisations are complying with such requirement and any non-compliance will lead to enforcement actions being taken against the organisation.
The enforcement action taken against Locate Family also affirmed the extraterritorial scope of the GDPR confirming that the GDPR is applied to organisations established both outside and inside the EU.
CONCLUSION
The Locate Family case demonstrated that data protection authorities do in fact actively assess any potential abuse of personal data and any data that flows in and out of countries outside the EU. It is also evident that the authorities will impose appropriate penalties following any GDPR compliance failures.
Under the GDPR, organisations must designate an EU data representative if they:
- offer goods or services to individuals in the EU; or
- monitor the behaviour of individuals in the EU, including tracking on websites; and
- have no offices, branches, or establishment in the EU.
It should be noted that the United Kingdom (the “UK”) also has obligations similar to the ones detailed above, which means that, following the UK departure from the EU, companies are required to appoint a UK data representative. Organisations are therefore required to appoint a new EU representative even if they have previously had a UK-based one.
PRACTICAL TIPS
Non-EU organisations are advised to assess their stance and understanding of the applicability of GDPR. They are encouraged to engage representatives as a contact point between themselves and authorities or data owners for issues related to data processing activities.
In the post-Brexit world, organisations are also recommended to appoint a separate data representative to help them with data processing activities in the UK and the EU.
All organisations should consistently update their privacy policies to ensure individuals can easily access the EU data representative contact details. Such implementation will allow organisations to respond to erasure requests adequately and avoid potential non-compliance under article 27 of the GDPR.
To read the obligations under GDPR, please click here.
For more information, and any guidance or advice on data protection, Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.