A recent penalty imposed by the Dutch data protection authority should spur UK businesses to urgently review whether they need to appoint an EU-based data protection representative to continue servicing EU-based consumers in compliance with the General Data Protection Regulation (GDPR), an expert has said.
Amsterdam-based Wouter Seinen of Pinsent Masons, the law firm behind Out-Law, was commenting after the Autoriteit Persoonsgegevens (AP) imposed a €525,000 fine on a company thought to be based in Canada over its failure to designate a GDPR representative.
Wouter Seinen
Partner, Head of Office, Amsterdam
This topic should be higher on the risk radar of non-European businesses – in particular operators of apps and websites
Under Article 27 of the GDPR, controllers or processors that are not established in the EU but nevertheless process EU citizens’ personal data for the purposes of offering goods or services or monitoring their behaviour must “designate in writing a representative in the Union”, subject to limited exceptions.
The designated representative must be based in an EU country “where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are”. Tasks of the designated representative include liaising with data subjects and regulators. The obligation to appoint a representative does not apply to public sector bodies.
Earlier this week, the AP announced that it had fined Locatefamily.com €525,000 because the company did not comply with its Article 27 obligation to designate an EU representative in writing.
Locatefamily.com is a platform that allows users to search for the contact details of people they have lost track of. The AP’s attention was drawn to the company after a series of complaints about the company were raised with its office.
Locatefamily.com told the AP that it had “no business relationships in the European Union”, is not “situated in any country of the European Union” and that it “also do[es] not offer goods or services to the European Union”. However, an AP investigation determined that the company’s processing of personal data was subject to the GDPR and that the company ought to have designated an EU-based representative. The company was given 12 weeks to remedy its breach. If it does not designate an EU data rep in that time, it faces a further fine of €20,000 each fortnight that then passes without action, up to a total of €120,000.
Wouter Seinen of Pinsent Masons said the AP’s enforcement action is a warning to potentially thousands of UK-based companies whose activities are within the scope of the EU GDPR post-Brexit. Those businesses are already subject to the UK GDPR, but Seinen said it is likely that many continue to be subject to the EU GDPR too, and that a large proportion of those companies are probably unaware that they require to designate an EU-based representative to comply with that legislation.
“Due to the binary nature of the data rep requirement, it is quite easy for a regulator to establish that an organisation is in breach, whilst it is almost impossible to find an excuse for not having met this requirement,” Seinen said. “This is why this topic should be higher on the risk radar of non-European businesses – in particular operators of apps and websites.”
Sylvan Martha, managing partner of First European Data Rep, said his company has seen a “steep incline” in the number of non-EU companies designating an EU data rep since Brexit.
Separately, the AP also announced that it had imposed a €7,500 fine on a Dutch political party, PVV Overijssel, over its failure to report a data breach that happened in January 2019. The breach concerned an email sent by an employee of the party to 101 recipients who were described in the email as ‘friends of the PVV’. The email invited those recipients to a meeting. All email addresses were visible to all recipients and as a result the political views of the addressees were shared.
This might be a signal that the AP is paying greater attention to compliance with the data breach notification requirements
Sari van Grondelle and Nienke Kingma of Pinsent Masons in Amsterdam said the case was significant because it highlighted the importance of businesses properly assessing whether a data breach is reportable under the GDPR.
They said whether a data breach is reportable requires an assessment of whether there has been a security incident leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data, and whether this breach is likely to result in a risk to the rights and freedoms of natural persons. Relevant to the assessment of risk is the nature of the breach; the nature, sensitivity and volume of the personal data; the ease with which individuals can be identified; the severity of the impact on individuals; particular characteristics of the individuals; particular characteristics of the controller; the number of individuals affected.
The more sensitive the data, the greater the risk of damage for those who are involved, according to van Grondelle and Kingma. They highlighted how common it is for employees to accidentally share the email addresses of recipients by failing to use the ‘BCC’ function in their email software. The PVV case shows how seemingly innocent mistakes can have potentially serious consequences, they said.
Van Grondelle said: “This decision highlights the importance of making a proper assessment of whether a breach is likely to result in a risk to the rights and freedoms of natural persons, considering the relevant factors. This case shows that this can be more complex than meets the eye."
Nienke: “It is remarkable that in such a short period of time a second fine is imposed for not reporting a data breach in time. In March this year, the AP also imposed a fine of €475.000 on Booking.com for late reporting of a data breach. This might be a signal that the AP is paying greater attention to compliance with the data breach notification requirements. Both fines illustrate that the notification requirement should be taken seriously.”
Under the GDPR, organisations must notify local data protection authorities of personal data breaches they have experienced ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’. In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.