- Henry Park
Don't forget your GDPR representative
In December 2020, the Dutch Data Protection Authority (DPA) fined the website Locatefamily.com 525,000 Euros for failing to appoint a GDPR representative in the EU (see decision in Dutch).
Locatefamily.com and the business behind it are not based in the EU (see FAQ No. 9). They may be based in Canada or the USA, the exact location is unknown.
The website collects personal data about people from around the world allegedly in an attempt to help locate other people. The DPA determined that it was processing the personal data of approximately 700,000 Dutch residents (see link).
Under the GDPR, companies that (1) are not established in the EU and (2) offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU must appoint a representative in the EU except in limited circumstances (Art 27(2)(a)). As locatefamily.com was offering services to EU residents, the website was obligated to appoint a GDPR representative in the EU.
Because it did not have a GDPR representative, the DPA fined the website 525,000 Euros and added a potential penalty of up to 120,000 Euros if locatefamily does not timely appoint a representative.
The elephant lurking in the room is how will the DPA enforce and collect on the fine (and potential penalty).