On May 12, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) imposed a €525,000 fine on Locatefamily.com for failure to comply with the obligation imposed under Article 27 of the EU General Data Protection Regulation (“GDPR”) to appoint a representative in the EU.
Locatefamily.com is an online platform that publishes contact details (including telephone numbers and addresses) of individuals. According to the Dutch DPA, individuals often did not register for the online platform and did not know how their personal information ended up on the platform.
The Dutch DPA, who had received numerous complaints from individuals, found that the online platform had failed to comply with data erasure requests. In this context, the Dutch DPA also found that the online platform did not have establishments in the EU and did not appoint a representative, making it difficult for data subject to exercise their data protection rights.
Under Article 27(2)(a) of the GDPR, companies that (1) are not established in the EU and (2) offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU must appoint a representative in the EU, except if the processing of personal data (1) is occasional; (2) does not include, on a large scale, processing of sensitive personal data or personal data relating to criminal convictions and offences; and (3) is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
Accordingly, the Dutch DPA imposed a €525,000 fine against Locatefamily.com as well as an order to appoint a representative by a certain date, subject to a penalty.