On the 12th May 2021, the Dutch Data Protection Authority (“DPA”) cracked down on the database Locate Family which helps people find missing connections (locatefamily.com) for lack of a European Representative (“EuroRep”). Locate Family reportedly posted European citizens’ full names, addresses and phone numbers, often without their knowledge or consent. Furthermore, anyone who wanted to have their details removed from the service could not do so easily due to the lack of representation within the EU.
Locate Family was set up to help “find family, long lost friends, old flames or neighbours” for free and claim to have over 350 million people on their database from all over the world, including citizens from within the GDPR scope. The Dutch DPA was originally alerted of Locate Family after receiving “dozens of complaints” from citizens. After investigation, the Dutch DPA uncovered around 700,000 Dutch citizens’ details on the site with all their personal details freely accessible to anyone.
As well as the €525,000 fine for the GDPR breach, Locate Family from 18th March 2021 will pay an additional €20,000 every fortnight to a maximum of €120,000 until they have designated a EuroRep. Organisations that offer goods or services in the EU must have a representative to which EU citizens can turn for information or exercise their privacy rights. Read more about it in our previous update.
Following on from this announcement and complaints from their citizens other European Regulators are looking into Locate Family on similar issues. The DPA have stated they are working with nine other European Data Protection Authorities as well of that in Canada.
The UK GDPR is mirroring the requirement of the GDPR; therefore, if you have no establishment in the UK but you do offer goods to or monitor the activity of individuals in the UK, you are required to have a UK Representative.
What is an EU Representative?
The EU Representative acts on behalf of a data controller or processor. While not directly responsible for data processor/controllers’ compliance with the GDPR, they are required to facilitate any conversations between them and the data subject or regulator. These requirements may include:
- Facilitating the data processor/controllers’ responses in relation to data subject requests (such as the right to access, the right to erasure or the right to data portability). It is worth reminding that it is the EU Representative who brings any contraventions of the regulation to the regulator and they are the second line of enforcement, just after the self-regulation by processors and controllers.
- The EU Representative performs tasks according to the mandate received from the controller or processor, including cooperating with competent supervisory authorities about any activity taken to ensure compliance with GDPR.
- They may be required to help to facilitate with translation, as communication should be in the language or languages used by the supervisory authority or the data subject.
- The EU Representative should be readily available to answer any queries from the data subjects or supervisory authorities to ensure they can contact the data controller/processor’s supervisor whenever necessary.