Dutch Data Protection Authority Imposes €525,000 Fine for Failure to Appoint Article 27 Representative

Written by

Achieved Compliance

The Dutch Data Protection Authority (“Dutch DPA”) has imposed a €525,000 fine on Locatefamily.com for failure to comply with the General Data Protection Regulation’s Article 27 requirement to appoint a representative in the European Union (“EU”).

Locatefamily.com publishes contact details (including telephone numbers and addresses) of individuals on its online platform. The Dutch DPA stated that individuals frequently didn't register to be listed on the platform and were unaware of how their personal information ended up on it.

The Dutch DPA had received numerous complaints from individuals about Locatefamily.com. In a decision issued May 12, 2021 found that the online platform had failed to comply with data erasure requests. It also found that the online platform had not established a presence in the EU and had not appointed a representative. As a result, data subjects could not easily exercise their data protection rights.

Article 27(2)(a) of the GDPR requires companies not established in the EU but offering goods or services to individuals in the EU or monitoring their behavior to appoint a representative in the EU. Companies do not need to appoint a representative if the processing of personal data (1) occurs occasionally; (2) doesn't involve large-scale processing of sensitive personal data or data related to criminal convictions and offenses; and (3) is unlikely to pose risks to the rights and freedoms of individuals.

In addition to imposing the €525,000 fine, the Dutch DPA also ordered the company to appoint a representative by a specified date, subject to a penalty for failure to do so.

Read the press release and the decision (in Dutch).

We are committed to ensuring your compliance with the General Data Protection Regulation’s Article 27. Contact us today to achieve compliance internationally.

PRIVACY BLOG