The Dutch Data Protection Authority (DPA) has imposed a fine of €525,000 on the website Locatefamily.com for failing to appoint an Article 27 GDPR representative in the EU. The DPA also ordered that the company must designate an EU representative, or must pay 20,000 euros for every 2 weeks it does not have such a representative, with a maximum of 120,000 euros. (As of the 13 May 2021 there is no evidence that the company have appointed an EU representative).
Locatefamily.com is a USA based company that offers a platform where people can search for the contact information of family members with whom they have lost contact or of other people they would like to get in touch with. The platform is freely accessible, with no account creation required, and provides the personal details of people around the world, including in the EU. Approximately 700,000 Dutch people are listed on the site.
The Dutch DPA had received dozens of complaints about Locatefamily.com, as the website displayed the full addresses and sometimes also the telephone numbers of people who were unaware of how their details came to appear on the website. These contact details were then made public on the website, and anyone in the EU who wanted to have their details removed from the site could not do so easily because Locatefamily.com did not have a representative in the EU. In most cases, Locatefamily.com has since removed the data of the people in question.
The DPA deputy Chair stated ‘Private information must remain private. Wrongdoers could use this type of information to commit identity fraud, for example, or harass you at your home or by phone or email…if your address and phone number do end up on this site, there must be an easy way to have that information removed. That’s not possible here, partly because Locatefamily.com does not have a representative in the EU. That’s why we issued the website with a fine.’
A UK based organisation may need to appoint an EU represetantive post Brexit
Organisations based outside the EU that offer goods or services in the EU must have a representative whom which EU supervising authorities can contact if required, and EU citizens can turn for information or to exercise their privacy rights. The obligation to appoint a representative is contained in Article 27 GDPR.
An EU based organisation may need to appoint an UK representative post Brexit
There is a similar requirement under for a UK representative under the UK GDPR for organisations based in the EU or Internationally that offer goods or services in the UK citizens following Brexit.
An International company may need to appoint both a and EU rep and a UK rep.
For support, please call the team at SME Comply.