Failure to comply can lead to sanctions or hefty administrative fines. Although an EU regulation, the same rules apply in the UK under the UK GDPR. Public authorities and organisations who only provide occasional services or goods with very limited processing of personal data are exempt from complying with this rule.
Recently, the Dutch Data Protection Authority imposed a fine of €525,000 (£451,000) to online platform LocateFamily.com for failing to appoint an EU representative. LocateFamily.com is a data website which publishes the personal contact details of individuals as a means to reconnect long lost friends, family and associates from around the world. The information held is freely accessible to anyone.
A group of Dutch nationals lodged a complaint with the Dutch Supervisory Authority (DSA) after their requests to have their data removed from the website went unanswered or backlogged by administrative requirements. The DSA conducted an investigation and concluded that the absence of a representative in the EU meant that those affected could not exercise their privacy rights and this was a breach of GDPR.
In addition to the fine, LocateFamily.com was ordered to appoint a representative in the EU subject to further fines every fortnight up to €120,000 until the appointment is made. It is unconfirmed whether an appointment has been made at the time of writing.
The penalty is the first of its kind under this provision of the GDPR. Charitable companies should take notice of the financial implications and reputational damage which can arise as a result of non-compliance with applicable laws. This case highlights the importance of ensuring that your organisation has elected a suitable representative in the country where it conducts most of its activities.
You can check that your organisation is compliant using these key considerations:
It is clear that unincorporated associations, organisations established as trusts or Charter bodies are caught by these requirements. However, where activities of the charitable company in the EU are minimal, an assessment may be required to determine whether the exemption relating to occasional limited processing of sensitive personal data can apply. Given the financial risk of getting it wrong, we strongly recommend that professional legal advice is sought.