Teaming up with... AVIVA

Welcome to the UKGI weekly regulation update service for Aviva ABC brokers

We hope you find the Updates useful. If you are
interested in subscribing to our affordable
ABC compliance support package, please
email us at ABC@ukgigroup.com or
call UKGI on our dedicated ABC
contact line 01925 767893.

Dutch data protection authority GDPR fine – a potential warning for UK businesses

May 27, 2021 | Other

Link(s):Warning for UK businesses after Dutch GDPR fine (pinsentmasons.com)
Boete van €525.000 voor Locatefamily.com | Autoriteit Persoonsgegeven

Context

This article, by Pinsent Masons’ Amsterdam-based Wouter Seinen, comments on the imposition by the Autoriteit Persoonsgegevens (AP) of a €525,000 fine on a company thought to be based in Canada, Locatefamily.com, over its failure to designate a GDPR representative.  The link to the AP press release above will need to be translated to read the source information.

Key points to note

Locatefamily.com publishes people’s address details and phone numbers, often without those people knowing. If they want their data deleted, it is not easy, because Locatefamily does not have a representative in the EU. Not having a representative in the EU is a violation of the privacy law and the reason for the fine.

The Pinsent Masons article highlights the following points:

  • Under Article 27 of the GDPR, controllers or processors that are not established in the EU but nevertheless process EU citizens’ personal data for the purposes of offering goods or services or monitoring their behaviour must “designate in writing a representative in the Union”, subject to limited exceptions.
  • The designated representative must be based in an EU country “where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are”.
  • Tasks of the designated representative include liaising with data subjects and regulators.
  • The AP’s enforcement action is a warning to potentially thousands of UK-based companies whose activities are within the scope of the EU GDPR post-Brexit. Those businesses are already subject to the UK GDPR, but the article indicates it is likely that many continue to be subject to the EU GDPR too, and that a large proportion of those companies are probably unaware that they require to designate an EU-based representative to comply with that legislation.

Next actions

In light of this action in the Netherlands, firms (in particular those operating apps and websites) should carefully consider the implications of Article 27 of the GDPR and, if they are still processing personal data in relation to data subjects in the EU, review the need to appoint in writing an EU-based GDPR representative.