21 May Locatefamily.com fined €525,000 for failure to appoint an EU Representative: is your organisation complying with privacy laws?
Failure to appoint a data representative under the Article 27 of the General Data Protection Regulation (‘GDPR’) can cause your organisation quite a headache when it comes to data privacy laws.
Last week, Canadian based company Locatefamily.com was imposed a €525,000 fine by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) for failure to appoint a representative in the EU.
If Locatefamily.com fails to comply with the obligation imposed by the GDPR by a designated date, it will face additional fines of €20,000 for every fortnight the organisation is without an EU Representative.
The role of the representative is to have an in-country representative to act as an interface between an organisation as a data controller on one side and the individual data subjects and relevant supervisory authority on the other side. This is a requirement of Article 27 of the GDPR.
No representative in the EU
Locatefamily.com is a site containing contact information of people around the world, including individuals in the EU (it is reported approx. 700,000 of which are Dutch people), which allows people to find lost family members or organise reunions with long lost friends.
The website has been investigated by the Dutch Data Protection Authority following numerous complaints received by the Dutch DPA (and numerous other EU supervisory authorities) from individuals claiming that their personal information has been published on the website without their knowledge. The lack of a data representative created an additional obstacle to those who wanted to have their data removed from the website.
The ‘hidden’ obligation
The obligation to appoint an EU Representative or ‘EU Rep’ under the Article 27 of the GDPR is sometimes called the ‘hidden’ obligation as it often takes a back seat in press coverage concerning various obligations imposed on organisations by the GDPR.
Many organisations focus on data transfers, Data Protection Officer (DPO) services and privacy notices overlooking the necessity to appoint a representative, which exposes their organisation to the risk of a hefty fine.
Do I need an EU Representative or an UK Representative?
The GDPR requires any organisation which either offers goods or services or monitors the behaviour of individuals in the EU, and processes their personal data for those purposes, to appoint an EU Representative unless they have their own establishment in the EU.
Since 1 January 2021, after the end of the Brexit transition period, organisations face an additional obligation to appoint an UK Representative if processing personal data of UK individuals, under Article 27 of the UK GDPR.
If your organisation falls under article 27 of the GDPR then compliance is vital, and you need to appoint your EU and/or UK Representative now.
The fines for failure to appoint the representative can amount to €20 million or 2% of an organisation’s annual global turnover, whichever is higher. Supervisory authorities also have the power to suspend or prohibit data processing activities altogether.
So the question is, have you appointed your EU Representative and/or UK Representative yet? Our expert data privacy professionals are here to help you comply with both GDPR and UK GDPR laws.
Founded by legal and data protection experts recognised by the world’s largest global information privacy community, Willans Data Protection Services provides organisations operating on a multi-national basis with EU and UK Representative solutions, Data Protection Officer services and training solutions under the GDPR.
Through its affiliation with UK law firm Willans LLP, it also provides organisations with wider advisory services concerning GDPR compliance such as GDPR audits, drafting policies, preparing legal documentation and bespoke legal advice.
Contact us for all things concerning data protection.