Businesses based collect or process the data of residents of the European Union are subject to the EU’s General Data Protection Regulation (GDPR), regardless of where they are located. Compliance with the GDPR is mandatory, even if a firm does not have a base in an EU country, as Locatefamily.com has discovered.
Locatefamily.com is a free online service that allows individuals to locate family members, long lost friends, and other individuals. The Canadian company that runs the platform has fallen afoul of the Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AP), for failing to designate a representative in the EU, as required by GDPR Article 27.
When Article 3(2) of the GDPR applies, with very limited exceptions such as only occasional processing of data or public sector bodies, a data controller or data processor must designate in writing a representative in the European Union. The representative must be located in one of the member states where the data subjects are located, and that individual must be mandated to be addressed in addition to or instead of the controller or processor by supervisory authorities for the purpose of ensuring compliance with the GDPR.
AP was alerted to potential violations of the GDPR after receiving multiple complaints about Locatefamily.com and, upon investigation, discovered Locatefamily.com had not designated a representative within the EU. As a result of that violation, AP fined Locatefamily.com €525,000. This is the first time that a financial penalty has been imposed for a violation of this requirement of the GDPR.
AP had received complaints that addresses and phone numbers of residents of the Netherlands had been uploaded to Locatefamily.com without authorization and that EU data subjects had experienced difficulty having their data removed due to the lack of a representative within an EU member state.
Locatefamily.com explained to AP that it did not have any business relationships in the European Union, was not located in an EU country, and does not offer goods or services to the European Union. Be that as it may, it does not mean that a company is not subject to the GDPR.
AP imposed an order that required Locatefamily.com to appoint a representative within the EU by March 18, 2021 – within 12 weeks. For each 2-week period after that date that the company had not complied with the order, it would be subject to a fine of €20,000 up to a maximum fine of €120,000. AP said in its May 12, 2021 announcement that it is unaware whether Locatefamily.com has appointed a representative.
‘For a website to publish your phone number and address without your knowledge is unacceptable,’ said AP deputy chair Monique Verdier. ‘Private information must remain private. Wrongdoers could use this type of information to commit identity fraud, for example, or harass you at your home or by phone or email.’ Monique VErdier also explained that the contact information of more than 700,000 Dutch people has been uploaded to the website.
This fine should serve as a warning for all companies that collect or process the personal data of EU residents that are based in countries outside the European Union to either ensure compliance with the GDPR.