Social-Purpose Company Based in the US Fined €525,000 for Failure to Appoint EU Representative
Where a charitable company and their trading entity are based outside of the EU and they provide goods or services within the EU, they must appoint a representative in a member state where their customers can exercise their data protection rights.
Failure to comply can lead to sanctions or hefty administrative fines. Although an EU regulation, the same rules apply in the UK under the UK GDPR. Public authorities and organisations who only provide occasional services or goods with very limited processing of personal data are exempt from complying with this rule.
The LocateFamily.com Case
Recently, the Dutch Data Protection Authority imposed a fine of €525,000 (£451,000) to online platform LocateFamily.com for failing to appoint an EU representative. LocateFamily.com is a data website which publishes the personal contact details of individuals as a means to reconnect long lost friends, family and associates from around the world. The information held is freely accessible to anyone.
A group of Dutch nationals lodged a complaint with the Dutch Supervisory Authority (DSA) after their requests to have their data removed from the website went unanswered or backlogged by administrative requirements. The DSA conducted an investigation and concluded that the absence of a representative in the EU meant that those affected could not exercise their privacy rights and this was a breach of GDPR.
In addition to the fine, LocateFamily.com was ordered to appoint a representative in the EU subject to further fines every fortnight up to €120,000 until the appointment is made. It is unconfirmed whether an appointment has been made at the time of writing.
What Does This Mean for Charities?
The penalty is the first of its kind under this provision of the GDPR. Charitable companies should take notice of the financial implications and reputational damage which can arise as a result of non-compliance with applicable laws. This case highlights the importance of ensuring that your organisation has elected a suitable representative in the country where it conducts most of its activities.
You can check that your organisation is compliant using these key considerations:
- representative appointed in writing to act on your behalf
- clearly set out the terms of your relationship (note however, you cannot assign your liability under the GDPR)
- representative contact details included in your privacy notice or data processing information
- details easily accessible to supervisory authorities
It is clear that unincorporated associations, organisations established as trusts or Charter bodies are caught by these requirements. However, where activities of the charitable company in the EU are minimal, an assessment may be required to determine whether the exemption relating to occasional limited processing of sensitive personal data can apply. Given the financial risk of getting it wrong, we strongly recommend that professional legal advice is sought.