• Contact Us

Social-Purpose Company Based in the US Fined €525,000 for Failure to Appoint EU Representative

on Tuesday, 06 July 2021.

Where a charitable company and their trading entity are based outside of the EU and they provide goods or services within the EU, they must appoint a representative in a member state where their customers can exercise their data protection rights.

Failure to comply can lead to sanctions or hefty administrative fines. Although an EU regulation, the same rules apply in the UK under the UK GDPR. Public authorities and organisations who only provide occasional services or goods with very limited processing of personal data are exempt from complying with this rule.

The LocateFamily.com Case

Recently, the Dutch Data Protection Authority imposed a fine of €525,000 (£451,000) to online platform LocateFamily.com for failing to appoint an EU representative. LocateFamily.com is a data website which publishes the personal contact details of individuals as a means to reconnect long lost friends, family and associates from around the world. The information held is freely accessible to anyone.

A group of Dutch nationals lodged a complaint with the Dutch Supervisory Authority (DSA) after their requests to have their data removed from the website went unanswered or backlogged by administrative requirements. The DSA conducted an investigation and concluded that the absence of a representative in the EU meant that those affected could not exercise their privacy rights and this was a breach of GDPR.

In addition to the fine, LocateFamily.com was ordered to appoint a representative in the EU subject to further fines every fortnight up to €120,000 until the appointment is made. It is unconfirmed whether an appointment has been made at the time of writing.

Coronavirus guidance employers

What Does This Mean for Charities?

The penalty is the first of its kind under this provision of the GDPR. Charitable companies should take notice of the financial implications and reputational damage which can arise as a result of non-compliance with applicable laws. This case highlights the importance of ensuring that your organisation has elected a suitable representative in the country where it conducts most of its activities.

You can check that your organisation is compliant using these key considerations:

  • representative appointed in writing to act on your behalf
  • clearly set out the terms of your relationship (note however, you cannot assign your liability under the GDPR)
  • representative contact details included in your privacy notice or data processing information
  • details easily accessible to supervisory authorities

It is clear that unincorporated associations, organisations established as trusts or Charter bodies are caught by these requirements. However, where activities of the charitable company in the EU are minimal, an assessment may be required to determine whether the exemption relating to occasional limited processing of sensitive personal data can apply. Given the financial risk of getting it wrong, we strongly recommend that professional legal advice is sought.

If you have any questions relating to GDPR compliance, please contact Penny Bygrave in our Charity Law team on 020 7665 0867, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input