Dutch Data Regulator Imposes €525,000 fine for lack of a European Representative

On the 12th May 2021, the Dutch Data Protection Authority (“DPA”) cracked down on the database Locate Family which helps people find missing connections (locatefamily.com) for lack of a European Representative (“EuroRep”). Locate Family reportedly posted European citizens’ full names, addresses and phone numbers, often without their knowledge or consent. Furthermore, anyone who wanted to have their details removed from the service could not do so easily due to the lack of representation within the EU.

Locate Family was set up to help “find family, long lost friends, old flames or neighbours” for free and claim to have over 350 million people on their database from all over the world, including citizens from within the GDPR scope. The Dutch DPA was originally alerted of Locate Family after receiving “dozens of complaints” from citizens. After investigation, the Dutch DPA uncovered around 700,000 Dutch citizens’ details on the site with all their personal details freely accessible to anyone.

As well as the €525,000 fine for the GDPR breach, Locate Family from 18th March 2021 will pay an additional €20,000 every fortnight to a maximum of €120,000 until they have designated a EuroRep. Organisations that offer goods or services in the EU must have a representative to which EU citizens can turn for information or exercise their privacy rights. Read more about it in our previous update.

Following on from this announcement and complaints from their citizens other European Regulators are looking into Locate Family on similar issues. The DPA have stated they are working with nine other European Data Protection Authorities as well of that in Canada.

The UK GDPR is mirroring the requirement of the GDPR; therefore, if you have no establishment in the UK but you do offer goods to or monitor the activity of individuals in the UK, you are required to have a UK Representative.

What is an EU Representative?

The EU Representative acts on behalf of a data controller or processor. While not directly responsible for data processor/controllers’ compliance with the GDPR, they are required to facilitate any conversations between them and the data subject or regulator. These requirements may include:

• Facilitating the data processor/controllers’ responses in relation to data subject requests (such as the right to access, the right to erasure or the right to data portability). It is worth reminding that it is the EU Representative who brings any contraventions of the regulation to the regulator and they are the second line of enforcement, just after the self-regulation by processors and controllers.
• The EU Representative performs tasks according to the mandate received from the controller or processor, including cooperating with competent supervisory authorities about any activity taken to ensure compliance with GDPR.
• They may be required to help to facilitate with translation, as communication should be in the language or languages used by the supervisory authority or the data subject.
• The EU Representative should be readily available to answer any queries from the data subjects or supervisory authorities to ensure they can contact the data controller/processor’s supervisor whenever necessary.

Does your firm need an EU or UK Representative?

Do not get caught out! If you hold data on EU or UK citizens without a local representative and are concerned about compliance with local privacy laws, Laven provides both of these services.

• EuroRep/UKRep will be your representative in that jurisdiction, and the point of contact for customers and authorities in the EU regarding privacy.
• We utilise in-house technology to onboard our clients quickly and simply, and to help them assess their GDPR compliance.
• We have a long history of data privacy expertise and work openly with specialised consultants to ensure our clients’ peace of mind.

Click here to find out more.