The website Locatefamily.com has been fined €525,000 by the Dutch Data Protection Authority for failing to appoint an EU representative. Under Article 27 GDPR, non-EU companies that do not maintain an establishment in the EU must appoint an EU representative if they are processing personal data of EU residents.
Locatefamily.com is an international website. It is not established in the EU, although it is not clear where it is actually based. The website aims to help people find friends and loved ones with whom they have lost touch. Names, addresses and sometimes telephone numbers of people are published on its website, often without their consent or knowledge. On its website FAQs, it says it obtains the information from a variety of sources, including people’s social media, Government websites and businesses who sell it to them.
Locatefamily.com did not have an EU representative, as required by Article 27 GDPR. As a result, there was no clear method for individuals to exercise their data subject rights, including getting their personal data deleted. Following complaints by Dutch citizens to the Dutch Data Protection Authority, the company was fined €525,000 and ordered to designate a representative in the EU by 18 March 2021. If it has not done this, Locatefamily.com will have to pay an extra €20,000 for every 2 weeks without an EU representative, with a maximum additional penalty of €120,000.
Who is covered by article 27 GDPR?
Most companies are covered by Article 27 if they process data of EU residents but do not maintain an establishment in the EU. It does not matter whether the company charges for its goods or services. Controllers and processors are both covered. An establishment is usually created in the EU by incorporating a subsidiary, which is responsible for its own local tax filings and its own compliance under data protection laws. This allows the non-EU company to not set up a permanent establishment within the EU, avoiding any unwanted tax burdens.
Companies can claim an exception from Article 27 if their data processing is occasional, and is not done on a large scale, or if the data does not involve the processing of special category data (such as personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, etc.) and is unlikely to result in privacy intrusions. The EU representative role is a fairly passive one, but they do need to be identified in privacy notices.
What should businesses do?
As a firm without any EU offices of our own, Doyle Clayton has appointed its own EU representative in order to comply with Article 27. Organisations like ours, with UK offices and no overseas presence, should give serious and immediate consideration to appointing an Article 27 representative if they deal with EU customers and businesses. Although the representative may not be used often and will have a largely passive role, it is important that one is appointed quickly. The repercussions of not doing so can be costly, as shown by the case of Locatefamily.com. Even if you think that one of the exemptions contained in Article 27 may apply to your business, it is worth obtaining specialist advice to avoid Article 27 penalties. Although Locatefamily.com is an extreme case of personal data abuse, it shows that the EU Data Protection Authorities across the EU are willing and able to apply stringent penalties for failings in this area.