525,000€ for not having a EU representative
On May 12, 2021, the Dutch supervisory authority imposed a penalty of €525,000 on a Canadian company that had no representative in the European Union (EU).
The website Locatefamily.com, published by the eponymous company under Canadian law, is active in the search for people who could be in its family. As such, it publishes the names, addresses and telephones of people without obtaining their consent.
The company had no establishment in the EU and processed the data of at least 700,000 Dutch people.
The Dutch supervisory authority received dozen of complaints about this site and the difficulties in having personal information removed from the site. The people concerned were not informed that their personnal data were made public and could be surprised to see someone knocking on their door.
A cooperation process was set up between 9 national supervisory authorities in conjunction with the European Data Protection Board to provide a response to the complainants.
The Canadian supervisory authority, the Office of the Privacy Commissioner of Canada, was also involved in the process.
A fine was imposed largely for failure to appoint a representative in the EU within the meaning of Article 27 of the GDPR. Indeed, the absence of a representative prevented data subjects from turning to a European structure in order to exercise their rights, in particular their right of opposition and erasure.
This is the first time that an supervisory authority has sanctioned a data controller for this type of violation.
What is a representative?
The recital 80 and article 27 of the GDPR provide us with some answers.
The representative is defined as " a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation" (Article 4 of the GDPR).
Under what conditions should a representative be appointed?
The representative must be appointed under the following conditions:
- he must represent a controller or the processor that is not established in the EU;
- the controller or processor processes data of data subjects who are located in the EU;
- the processing activities are related to the provision of goods or services to those data subjects in the EU, whether or not payment is requested, or to the monitoring of their behavior, to the extent that it takes place within the EU.
In practice, the use of personal data of individuals in the EU in the context of a record on a website constitutes an offer of goods and services to those individuals.
This rule does not apply if
- the controller or processor is not required to keep a register of processing activities or categories of processing activities. Indeed, the criteria for exemption are the same (occasional processing, processing that does not involve sensitive data or infringement data);
- if the controller or procesor is a public body or public authority.
How do you appoint a representative?
A written mandate by the controller or processor is required.
What are the responsibilities?
The representative is the point of contact for supervisory authorities in the EU and acts on behalf of the controller or processor in the context of their obligations under the GDPR.
The representative may be subject to prosecution by the supervisory authorities for non-compliance by the controller and processor but this does not prevent the controller or processor from being subject to enforcement action directly. The fine of Locatefamily.com is a good example.