Client Alert: Locatefamily.com fined €525,000 for failure to appoint a DPR

Introduction

One of the most overlooked obligations in GDPR is the requirement for organisations who are subject to GDPR but outside the EU to appoint a Data Protection Representative (DPR).  But that’s likely to have much more attention now with the fine announced this morning for Locatefamily.com from the Netherlands DPA (the Autoriteit Persoonsgegevens or AP) for failure to appoint a DPR.

We use some data protection terms here which are explained at www.bit.ly/gdprwords.

What is the DPR obligation?

The obligation to appoint a DPR is contained in GDPR Art.27.  Where the extra-territoriality provisions of GDPR apply – for example because an organisation not established in the EU is offering goods and services to individuals in the EU or it is monitoring their behaviour – the organisation must usually appoint a DPR in writing (subject to some exceptions).  The DPR must be established in the EU.

Who is Locatefamily.com?

That’s a good question.  As the name suggests Locatefamily.com is a website designed to help people find family members.  It’s not immediately clear who is behind the website.  The domain name is registered using an anonymising service and the Privacy Policy (which doesn’t comply with GDPR) doesn’t give a physical address.  The website claims that “LocateFamily.com and its parent company are not located in the European Union and have no business relationships in the EU.”

What did the AP say?

The AP said that its investigation showed that 700,000 people in the Netherlands were shown on the site.  It said that many of them appeared on the site without their knowledge.  It also co-operated with other regulators in the EU and Canada who had also received complaints.

The AP fined Locatefamily.com €525,000 for failing to appoint a DPR.

In addition to the fine the AP imposed an additional order requiring Locatefamily.com to appoint a DPR by 18 March 2021.  There is an additional penalty of €20,000 for every 2 weeks of default subject to a maximum of €120,000.  Somewhat strangely it seems the AP say they are not yet able to confirm whether a DPR has yet been appointed.

The question remains as to how the AP will enforce the fine.  It seems hard to track down who owns the site and it would not appear that the owners are engaging with the AP.  Enforcing the fine may provide to be substantially more difficult than issuing it.

What about Brexit?

This is an area where Brexit does add complexity.  There are similar obligations to appoint a DPR in the UK.  As yet there is no reciprocity between the EU and UK regimes so for example:

1. A UK based organisation may need to appoint a DPR in the EU
2. An EU based organisation may need to appoint a DPR in the UK
3. A US based organisation may need to appoint a DPR in the EU and the UK

There’s a more detailed explanation of GDPR after Brexit in our FAQs and film here https://bit.ly/brexdpfaq.

Practical tips

Despite any problems the AP might have in enforcing the fine in this case in other circumstances enforcement will be somewhat easier.  Many organisations also cannot risk the commercial and reputational risk a fine would bring.  Organisations should therefore consider:

1. Looking at each of your corporate entities outside the EU to see if they are subject to GDPR. Remember that the need to appoint a DPR is for each entity subject to DPR so check group entities providing services to others (e.g. a US based entity providing payroll services to EU subsidiaries; an Indian entity providing back office systems handling EU customer data; a US entity providing a B2C ecommerce site for the group’s worldwide sales).
2. Checking the EU-UK aspects too – you may need to appoint a DPR in both the UK & the EU.
3. Considering who the best DPR might be for your organisation. That could be another entity in your group or an outside DPR.  Exercise caution however as some organisations advertising DPR services may not be appropriate.  You’ll need to do due diligence on any outside agency you use.
4. Making sure you appoint a DPR in writing complying with the formalities of GDPR.
5. Making sure you’ve also checked other requirements including the possible need to register with and pay a fee to the UK Information Commissioner’s Office if there’s a UK involvement (see here https://www.corderycompliance.com/solutions/privacy-registration-and-renewal/).
6. Making sure you have a proper plan in place with the DPR to enable you to react quickly to concerns and reach out to DPAs when necessary to alert them to issues.

There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service.  GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply.  More details are at www.bit.ly/gdprnav.

There are more details of the AP’s enforcement action here https://bit.ly/3y7GDKu.

For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH		André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784		Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com		Andre.bywater@corderycompliance.com