Jul 8, 2021

The first administrative fine for failure to appoint DB representative of data controller

The Dutch Data Protection Supervisor (DPA) has imposed € 525,000 on the Locatefamily.com website. Although this is a significant amount, compared to the highest amounts of fines imposed so far, this penalty should not be set at an amount that should be of particular interest. 

The peculiarity of this case is that for the first time an administrative fine was imposed on a company whose headquarters are outside the EU, and it does not have subsidiary or a branch office within the EU. The fine was imposed for not appointing a representative of the data controller in the EU (DP representative). Locatefamily.com offered services worldwide, and among others to EU citizens, at least 8 members, the data controller could not invoke on an exemption in terms of occasional processing, the definition of which is clearly prescribed in the Guidelines of the European Data Protection Board 03/2018 . In the coming period, it will be interesting to see whether the penalty will encourage inspections and other entities outside the EU that offer goods and services in the European Union from other Data Protection Supervisors, which has not been particularly common so far. In that sense was the discouraging position of the Luxembourg Data Protection Supervisor in the case against Rocketreach, which despite the processing of personal data of thousands of Luxembourg citizens and several hundred thousand EU citizens, refused to launch an investigation because the company did not appoint an EU representative. 

This makes the EU Data Protection Supervisors quite powerless towards non-EU base companies and without an appointed representative of the DP Representative. The functions and responsibilities of the DP Representative has been somehow invisible in their full implementation since the application of the GDPR. The reasons for this are the complexity of such functions, which should include knowledge of the laws and customs of most EU member states, but also the relative legal weakness of European supervisory authorities in terms of legal investigations and the success of special sanctions against smaller companies. It should also be noted that although similar, the functions of DP Representative and Data Protection Officer are not identical functions only with the difference if company is EU based or non-EU based.

Read below about the functions of the DP Representative and the main features, as well as the exceptions in performing his functions

How are our personal data protected in such situations and in what way are personal data in compliance GDPR?

The territorial scope of the GDPR refers to organizations that have their headquarters or branch office within EU, regardless of whether personal data are processed inside or outside the EU.

This Regulation clearly regulates the processing of personal data on its territory. However, if the organization does not have a headquarters or physical office in the EU, but offers goods and services to the EU citizens, or  whose behaviour is monitored, it should appoint a DP Representative established in the Union, whether is data controller or dana processor.

Who is the DP Representative?

Basically, DP Representative’s function was introduced to facilitate communication regarding the implementation of the GDPR to organizations specifically dealing with the personal data of EU citizens, which do not have their headquarters or office in the EU, and therefore the Supervisory body can take remedial actions and fines.

The General Regulation allows the organization to appoint one representative for business activities throughout the EU.

In case when the organization conducts processing in e.g. Croatia, Hungary and Slovenia a DP Representative should be appointed in one of the three countries. Regardless of the territorial scope of processing in the EU, it is recommended that DP Representative comes from the country where the largest amount of personal data is processed, but he or she should be able to communicate in languages understood by all data subjects  and supervisory bodies.

Data controller or processor shall, by written authorization, appoint his representative to act on his behalf.

DP Representative may be a natural or legal person, and his liability may be stipulated as part of business contracts or as a single service intended only to fulfill an obligation under the Regulation.

On the other hand, DP Representative can act on behalf of a number of different data controllers and processors.

DP Representative ensures that the processing of personal data is in accordance with the GDPR. In the first place, it must enable effective communication with the data subjects in terms of exercising their rights and at the request of the Supervisory Body for checking the compliance of the controller / processor. Although the controller / processor is responsible for the content of the records on activities related to processing, the Representative is obliged to take care that the Records are always updated and available to the Supervisory Body.

Therefore, DP Representative for the organization outside the EU is the same as the Data Protection Officer (Officer) for the organization within the EU?

In addition to a number of similarities in action, in this section we will look back only at the differences concerning the activities conducted by the controller or the processor. The officer is appointed on the basis of professional qualifications and knowledge of the right and protection of personal data with a sufficient level of autonomy to act independently and without instructions from the controller or processor and submits his contact details to the Supervisory Body.

DP Representative is appointed to act on behalf of the controller or processor and is obliged to follow their direct instructions.

Although his or her expertise is not a requirement, it is recommended for him or her to be an expert, which is also in the interest of the controller and the processor.

The controller and the processor will not be liable for sanctions if the contact information of DP Representative is not communicated to the Supervisory Body, but in terms of informing citizens, his or her contact information should be available before collecting personal information (e.g. in the Privacy Statement).

Are there exceptions regarding the appointment of a DP Representative?

The appointment of a Representative for organizations with a registered office and office outside the EU is not mandatory:

  • for public authorities or a public body. The General Regulation did not specify who these bodies are, but it is considered that they should be prescribed by national law, and by their nature the operation and conduct of such bodies in the supply of goods and services should be limited.
  • if the processing of data is occasionaly, that is to say it is not conducted on a regular basis regular and is outside normal business activities, does not pose a high risk to the rights and freedoms of individuals and does not include data relating to criminal convictions or to a large extent data of a special category.

Authors: Ines & Marko Krečak, Centar Feralis

Recent news

Position paper on GDPR Evaluation 2024

Position paper on GDPR Evaluation 2024

This paper highlights how, from the perspective of data protection practitioners, the business sector –
particularly small and medium-sized enterprises (SMEs) – can be better supported in meeting data
protection requirements within the context of increasing digitization.

read more