The Dutch Data Protection Authority (DPA) on May 12, 2021, imposed a fine of €525,000 on the company that operates Locatefamily.com. The DPA fined the company for its failure to appoint a local representative in the EU. Under Article 27 of the GDPR, companies not established in the EU but are dealing with the data of EU citizens are required to appoint an EU-based representative. The DPA also ordered the website to remedy the non-compliance within 12 weeks, failing which it would impose an additional penalty of €20,000 for every two weeks of non-compliance (up to a maximum of €120,000). This is the first reported action under GDPR for failure to appoint a local representative.
The website helps people find the contact details of their long-lost family members, friends, and neighbors. The website offers the personal details of people worldwide, including in the EU and approximately 700,000 Dutch people listed on the site. The DPA in coordination with other EU regulators was acting on several complaints received from Dutch citizens that their personal data was made available without their consent.
You may like: Anonymisation and Pseudonymisation under GDPR
Following the complaints, the DPA initiated an investigation to locate the company. Preliminary requests sent to Locatefamily.com only resulted in the responses stating that it is not located in the EU and does not have any business relationships in the EU, nor an office or a representative and that it does not offer goods or services to the Union.
In fact, Locatefamily.com responded that it was “puzzled as to why you would you need to know where we are situated”. From the IP address location, it was found that the entity might be located in Canada and did not have a representative in the EU. Although the Canadian Office of the Privacy Commissioner provided assistance, the DPA was not able to determine the location of Locatefamily.com. Given that the DPA could not locate the data controller, it is to be seen how this order will be enforced by the regulator.