Penalty for not appointing an EU or UK Representative
EUR 525,000 -approximately USD 635,000 in fines for the Canadian company
According to Art. 27 GDPR / UK GDPR, companies that are not established in the EU/UK but process personal data in connection with monitoring the behaviour of individuals or offering goods or services directly to individuals in the EU/UK have an obligation to designate – in writing – an EU or UK representative and publish their contact details.
It does not matter whether the company charges for such goods or services or not (e.g. a person who runs a blog).
Appointing a ‘representative’ is a simple thing, but for many companies based far outside of Europe or UK, it has been relegated to the background or simply overlooked. However, a recent decision by the Dutch data protection authority means that this obligation can no longer be put off.
The Dutch authorities fined a non-EU based company, Locatefamily.com, more than half a million euros (or €525,000; approximately $635,000) for failing to appoint an EU representative.
But the Dutch authority went even further: it said that the Canadian company has until March 18, 2021 to appoint a representative, otherwise it must pay €20,000 ($25,000) for every two weeks of violation of this requirement, up to a maximum of €120,000 ($145,000).
In the case of this one company, seemingly based in Canada, the total fine could reach a staggering amount of 645,000 EUR (785,000 USD). The company in question publishes addresses and phone numbers of millions of people around the world – often without their knowledge. “LocateFamily.com” states on its website that it is not located in the European Union and does not have any business relationships in the EU.
That may be true, however, by processing personal data of individuals located in the EU, they are obliged to comply with the GDPR and therefore this type of activity must appoint an EU representative.
UK Representative – that is exactly the same obligation applies to all non-UK organisations under Art 27 UK GDPR.
Regulatory authorities for data protection worldwide collaborate with each other in such matters. In this case, the Dutch regulatory authority collaborated in its investigation with nine other EU data protection authorities and the Office of the Privacy Commissioner of Canada.
As stated by the Dutch regulatory authority after investigating the case, the consequences of not having a representative are clear: it makes it difficult for individuals in the EU to request the deletion of their data, access to their data, or exercise other rights under European law because LocateFamily does not have a representative in the EU. The lack of a representative in the EU is a violation of the right to privacy and a direct reason for imposing a fine.
All companies that process personal data of citizens and residents of EU member states and do not have their headquarters within the EU are required to appoint an EU representative for data protection.
This requirement also applies to the UK. The law applies to any entity that does not have a presence in the UK but processes the personal data of British citizens and residents, even if it is not for commercial purposes.
Companies may be exempted from the obligation under Article 27 if their processing is:
- does not involve the processing of special categories of data on a large scale,
- and is unlikely to result in a breach of privacy.
Companies should demonstrate their exemption from the obligation to appoint an EU/UK representative, for example, by providing a written – after Audit report.
As the investigation into the Canadian company shows, inaction in this matter can be costly.
If you would like to entrust us with the function of EU Representative or UK Representative for your company, here’s what we will do as part of this service:
- notify you of any changes in GDPR / UK GDPR legal regulations,
- maintain a “Record of processing activities” in accordance with Article 30 of GDPR,
- provide unlimited online and phone consultations,
- represent you before the ICO (including in infringement proceedings) and data subjects (Data Subject Access Requests) – UK Representative roles,
- represent you before the UODO (polish supervisory authority) – including in infringement proceedings and data subjects (Data Subject Access Requests) – EU Representative roles.
Click on the EU/UK Representative button to learn more about our offer