Dutch DPA fine company EUR 525,000 for not appointing an EU representative
On May 12, 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch Data Protection Authority”) fined Locatefamily.com € 525,000 for failing to comply with Article 27 of the EU General Data Protection Regulation (“GDPR”) to a Appoint representatives in the EU.
Locatefamily.com is an online platform that publishes contact details (including phone numbers and addresses) of people. According to the Dutch Data Protection Authority, individuals often did not register for the online platform and did not know how their personal data ended up on the platform.
The Dutch Data Protection Authority, which had received numerous complaints from individuals, found that the online platform had failed to comply with data erasure requirements. In this context, the Dutch Data Protection Authority also found that the online platform had no branches in the EU and did not appoint a representative, which made it difficult for data subjects to exercise their data protection rights.
According to Article 27 (2) (a) of the GDPR, companies that (1) are not established in the EU and (2) offer goods or services to persons in the EU or monitor the behavior of persons in the EU must appoint a representative in the EU unless the processing of personal data (1) takes place occasionally; (2) does not include, on a large scale, the processing of sensitive personal data or personal data related to criminal convictions and offenses; and (3) taking into account the nature, context, scope and purpose of the processing is unlikely to pose a risk to the rights and freedoms of natural persons.
Accordingly, the Dutch Data Protection Authority imposed a fine of € 525,000 on Locatefamily.com and an order to appoint a representative by a specified date, with a penalty being imposed.
Read the press release and the decision (in Dutch).