Dutch Data Protection Authority Imposes €525,000 Fine for Failure to Appoint Article 27 Representative

The Dutch Data Protection Authority (“Dutch DPA”) has imposed a €525,000 fine on Locatefamily.com for failure to comply with the General Data Protection Regulation’s Article 27 requirement to appoint a representative in the European Union (“EU”). Locatefamily.com publishes contact details (including telephone numbers and addresses) of individuals on its online platform. According to the Dutch DPA, individuals often did not register to be listed on the platform and did not know how their personal information found its way to the platform. The Dutch DPA had received numerous complaints from individuals about Locatefamily.com. In a decision issued May 12, 2021 found that the online platform had failed to comply…

READ MORE

Court of Justice of the European Union Invalidates the EU-U.S. Privacy Shield, Finds Standard Contractual Clauses Valid

The Court of Justice of the European Union (CJEU) in a surprise decision invalidated the U.S. Privacy Shield in a case called, Schrems II – a decision important to all companies doing business in the EU and collecting personal data about its residents. It found that the Standard Contractual Clauses (SCC) issued by the European Commission to support the lawful transfer of personal data to processors established outside of the EU are valid. At the same time, the Court unexpectedly invalidated the EU-U.S. Privacy Shield framework. This decision will require companies to re-examine their approach to transferring data between the U.S and the EU. Background In 2015 Max…

READ MORE

The Importance of Article 27: Identifying a Representative in Europe

The General Data Protection Regulation came into effect on May 25. In an effort to comply, companies of all sizes have been taking steps to meet requirements. Mapping data, appointing staff to lead data protection work in the organization, reviewing and updating security, developing data governance programs – businesses are investing time and resources to understand and meet GDPR expectations. What is often lost in this flurry of activity is an understanding of GDPR’s Article 27 – a provision that requires that companies that are not established in the EU, but that collect and process personal data about residents of the EU, appoint an EU-based representative. The EU…

READ MORE