The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (AP), fined locatefamily.com €525,000 for failing to have a representative in the EU.
locatefamily.com is an online platform that aims to help people “find family, long lost friends, old flames, neighbors... for free!” It’s website states it has details for “over 350 million people from around the world!”. However, when investigated questions were raised about how it obtained personal data as the AP found individuals often did not register for the online platform and did not know how their personal information ended up on there. Following complaints in a number of European countries the AP worked with nine other European DPAs, as well as the Office of the Privacy Commissioner of Canada to conduct an investigation into locatefamily.com’s activities.
Dutch data subjects wished to remove their personal data, including telephone numbers and addresses, from the website but found it very difficult to do so as there was no representative in the EU. Article 27(1) of the GDPR states that:
“Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.”
Article 27(2)(a) contains limited exceptions to this requirement to appoint an EU representative but they were not relevant to this case. The AP found that it was clear locatefamily.com was not established in the EU, however, it did offer services to individuals in the EU, meaning it was caught under the long-arm jurisdiction provision in Article 3(2) of the GDPR, and therefore it needed to appoint a representative in the EU. The AP ordered locatefamily.com to appoint an EU representative and backed this up with a further penalty, €20,000 for every 2 weeks up to a maximum of €120,000 should the platform fail to do so. The AP also mediated on behalf of the Dutch data subjects who wished to have their personal data deleted.
Given the importance of data subjects rights in Europe this is a clear reminder that where a data subject cannot exercise their rights DPAs will intervene and take action where necessary; and data controllers and processors outside the EU need to consider if they are caught by Article 27. Equally this applies to data controllers and processors outside the UK, as UK GDPR also contains the same provision.
"…if your address and phone number end up on such a site, you should at least be able to easily arrange for that information to go off the site. You can't do that here. This is partly because locatefamily.com does not have a representative in the EU."
https://autoriteitpersoonsgegevens.nl/nl/nieuws/boete-van-525000-euro-voor-locatefamilycom