Spotlight on Requirement to Appoint an EU Data Protection Representative

Under the EU General Data Protection Regulation (EU GDPR) and the UK Data Protection Act 2018 (UK GDPR) (together the GDPR), even if an organisation is not established in the European Economic Area (EEA) or United Kingdom it must appoint a Data Protection Representative (DPR) based in an EU member state and/or in the UK if they:

  • process an individuals’ personal data who is located in the EEA and/or UK; and
  • offer goods/services to those individuals in the EEA and/or UK or monitor their behaviour.

Failure to comply may result in fines that can amount up to €20,000,000 or 4 percent of worldwide turnover (whatever is higher) from the relevant regulators, as well as being at risk from potential claims from individuals whose data is breached.

Online platform Locatefamily.com, unfortunately learnt this the hard way. The platform does what it says on the tin, it helps individuals find long lost family members. The platform publishes personal data including names and contact information of European citizens, on occasion without their knowledge or consent — a clear breach of modern day data protection rights.

The Dutch Data Protection Authority (Dutch DPA) was notified of Locatefamily.com’s activities after receiving numerous complaints from Dutch citizens. Following an investigation, the Dutch DPA discovered the online platform did not have an EU representative, making it difficult for individuals to exercise their data protection rights (i.e., the right to be forgotten).

The Dutch DPA imposed a fine of €525,000 for the EU GDPR breach and imposed an order instructing Locatefamily.com to appoint an EU representative by 18 March 2021, or face an additional fine of €20,000 every fortnight up to a maximum of €120,000 until a representative was appointed. Overall, Locatefamily.com are facing a potential fine of €645,000. To this date, it is not clear whether Locatefamily.com have appointed a DPR, their website is silent and there has been no further statement from the Dutch DPA.

Whilst historically the requirement to appoint an EU representative (and following Brexit a UK representative) by companies outside of the EEA may have been overlooked, following this decision, it is recommended that companies outside the EEA and UK paying attention to what the GDPR representative requirement may mean for them.

_______

Nicole Akinyemi, a paralegal in the Financial Markets and Funds practice, contributed to this advisory.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Katten Muchin Rosenman LLP | Attorney Advertising

Written by:

Katten Muchin Rosenman LLP
Contact
more
less

Katten Muchin Rosenman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.