The Dutch Data Protection Authority (“Dutch DPA”) has imposed a €525,000 fine on Locatefamily.com for failure to comply with the General Data Protection Regulation’s Article 27 requirement to appoint a representative in the European Union (“EU”).
Locatefamily.com publishes contact details (including telephone numbers and addresses) of individuals on its online platform. According to the Dutch DPA, individuals often did not register to be listed on the platform and did not know how their personal information found its way to the platform.
The Dutch DPA had received numerous complaints from individuals about Locatefamily.com. In a decision issued May 12, 2021 found that the online platform had failed to comply with data erasure requests. It also found that the online platform had not established a presence in the EU and had not appointed a representative. As a result, data subjects could not easily exercise their data protection rights.
Article 27(2)(a) of the GDPR obligates companies that (1) are not established in the EU and (2) offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU to appoint a representative in the EU. Companies are not required to appoint a representative if the processing of personal data (1) is occasional; (2) does not involve large scale processing of sensitive personal data or personal data relating to criminal convictions and offences; and (3) is unlikely to raise risks to the rights and freedoms of natural persons.
In addition to imposing the €525,000 fine, the Dutch DPA also ordered the company to appoint a representative by a specified date, subject to a penalty for failure to do so.
While bipartisan legislation to establish a federal privacy law in the United States – the American Data Privacy and Protection Act – moves through Congress, the Federal Trade Commission (FTC) has now taken steps to address existing and emerging issues related to commercial data and to consider the possibility of updating requirements.