On 12 May the Dutch Data Protection Authority announced that it had fined a non-European company for failing to appoint an EU representative, as required by the GDPR.  The Dutch regulator received dozens of complaints about Locatefamily.com.  Locatefamily provides a platform for people to find contact information of relatives with whom they have lost contact or of people with whom they would like to get in touch.  The site contains personal data of people from all over the world, including the EU.  Around 700,000 Dutch citizens are listed on the site.

The website and all personal data are freely accessible to everyone, even people who have not registered for an account.  The Locatefamily.com website shows full addresses and sometimes phone numbers of people who are unaware that their details have been obtained.  The regulator said that this level of intrusion has a large impact on the individuals concerned who are worried that unexpected visitors might arrive on their doorsteps to make contact with them.

Locatefamily had not appointed a representative in the EU, which made it difficult for European individuals to object to this publication of their data or to request that the data be deleted.  For this reason, Locatefamily has been fined €525,000 for failing to appoint a representative in the EU.  The company was given until 18th March this year to appoint a representative, after which continued failure to do so would incur an additional fine of €20,000 for every two weeks up to a maximum of €120,000.

The Dutch regulator commented:

“If you want to share that information, you can of course do that. But you must be able to choose for yourself. At Locatefamily.com, many people don’t get that choice. And if your address and phone number end up on such a website anyway, you should at least be able to easily arrange for that information to be removed from the website. That’s not possible here. This is partly because Locatefamily.com has no representative in the EU. That’s why we fined Locatefamily.com.’

This case provides a reminder now that the UK has left the EU, that UK businesses need to appoint a representative in the EEA if:

  • they are a data controller or processor; and
  • they do not have a branch, office or other establishment in any EU/EEA state, but they either:
  • offer goods or services to individuals in the EEA; or
  • monitor the behaviour of individuals in the EEA.

Likewise, under the UK GDPR, non-UK organisations need to appoint a UK representative if they do not have an establishment in the UK and they carry out those activities in respect of individuals in the UK.  You can find answers to frequently asked questions about appointing EU or UK representatives on the Information Commissioner’s website.