The Dutch Data Protection Authority (DDPA)
fined a nonEU website provider with 525,000 Euro for failure to appoint an EU representative according to Art. 27 GDPR. Additionally, it required the website to pay further 20,000 Euro for each two-week period it failed to appoint an EU representative, up to a maximum of 120,000 Euro.
What was the case about?
The website provider offers a platform for anyone who is looking for contact information of people they have lost touch with by providing their name, address, place of residence and sometimes their phone number. The website is publicly accessible and contains data of residents from both inside and outside the EU. The services on the website are also offered to individuals in the EU.
The EU Representative under the GDPR
Due to the GDPR’s broad scope of application, companies doing business within the EU will often be subject to its provisions, even if they have no establishment in the EU. Pursuant to Article 27 (1) GDPR, companies that (i) are not established in the EU and (ii) offer goods or services to individuals in the EU or monitor the behavior of individuals in the EU must appoint a representative in the Union except when one of the (very limited) exemptions under Article 27 (2) of the GDPR applies.
No special conditions apply to the appointment, except that it must be in writing and expressly. Any natural or legal person established within the EU pursuant to Article 27 (3) of the GDPR may be appointed as EU representative. Primarily, the role of the EU representative is to be the local point of contact for EU individuals and EU data protection supervisory authorities, and to represent the non-EU company with regard to their respective obligations under the GDPR. Its duties involve keeping a record of the represented company's processing activities. A more detailed overview of the EU representative’s obligations can be found
here.
Findings of the DDPA
DDPA determined that the case at hand involves the processing of personal data of data subjects located in the EU. When opening the website in question, name, address and place of residence of persons within and outside the EU are displayed. Such personal data of EU residents is processed to offer services through the website such as for family reunions and school reunions. According to the DDPA, it is apparent that these services are also aimed at EU residents and are offered in several EU countries.
The DDPA also found that the website operator qualifies as a data controller within the meaning of Article 4 of the GDPR as it processes personal data with the aim of making it available to anyone who is looking for a particular person. The website operator controls the registration of personal data on their website as well as the removal of the data and therefore has control over data subjects’ rights and the processing of personal data and determines the purposes and means of such processing.
The DDPA concluded, thus, that the GDPR is applicable according to its Article 3 (2). The website operator is therefore under the obligation to designate a representative in the EU pursuant to Article 27 (1) GDPR, and has failed to do so.
Importance of the Decision
The decision of the DDPA demonstrates that non-compliance with the representative obligation under Article 27 (1) of the GDPR can have severe consequences. With the
EU Commission stating that the expansion of the territorial scope of the GDPR shall be appropriately reflected in the enforcement action by the data protection authorities, it can be expected that international enforcement of the GDPR will receive increased attention. Appointing an EU rep is usually a “quick win” from a GDPR compliance perspective, as the obligation can be easily complied with. The appointment of an EU representative can also be regarded as a mitigating factor by EU supervisory authority when assessing potential fines for GDPR-non-compliance.
Whether the appointment of an EU representative really makes the enforcement of actions by EU regulators easier is, however, open: In the case at hand it does not seem clear yet how the DDPA will enforce the fine. It is apparent from the decision that the privacy policy of the fined website operator does not contain an address and the domain name is registered using an anonymization service.
