A significant fine recently imposed on a non-EU company by the Dutch Data Protection Authority (DPA) for lack of representative under the EU GDPR suggests the stepping-up of enforcement against non-EU companies. A representative is separate to a data protection officer (DPO).
The investigation concerned an online platform, LocateFamily.com, which offered services to the EU but is not established within the EU. The GDPR requires companies with no establishment within the EU that offer goods/services to individuals within the EU, to appoint a representative in the EU if they process personal data (with some exceptions). The same principles are within the UK GDPR respectively.
LocateFamily.com aims to re-connect people, by displaying personal information such as telephone numbers or addresses on its site. There were several complaints to the DPA regarding the processing of personal data on the site. For example, people’s personal data being displayed without their consent or knowledge.
However, the main issue considered by this particular investigation and subsequent fine, was the lack of representative. To comply with GDPR, LocateFamily.com is required to have an EU appointed representative if it does not fall within one of the exceptions.
LocateFamily.com was fined EUR525,000 for having failed to appoint an EU representative, with an additional EUR20,000 for each two-week period during which they remain incompliant (up to a maximum of EUR120,000).
If you are unsure as to whether you require a UK or EU representative, please do get in touch.