Alexander Egerton, Partner and Head of Data Protection at Seddons LLP discusses how British businesses need to urgently consider appointing an EU based data protection representative or risk large fines.
The requirement to appoint an EU GDPR Representative is the GDPR’s forgotten obligation. To date, the media focus on the GDPR has been and may well continue to concentrate on fines levied and whether consumers have consented to receive marketing material.
If a company processes personal data of EU citizens in a sufficient scale and risk category then the company will need to appoint EU GDPR Representative. The logic for the appointment is that the privacy rights conferred by the GDPR travel with the EU citizen. Therefore, non EU companies have to give EU citizens GDPR privacy rights. In order to enforce these rights, the EU citizen deals with the EU GDPR representative in place of the non EU company. Although the UK follows the GDPR; as the UK is now a “third country”; UK companies have to adhere to this obligation.
The first enforcement action against a company not appointing a representative involves the Dutch Personal Data Authority (AP) imposing a fine of 525,000 euros on Locatefamily.com, who enabled their users contact details to be published for public use without those people knowing their details were readily accessible.
The AP received numerous complaints which should have been directed to Locatefamily’s EU GDPR Representative. But there was no EU GDPR Representative for the EU citizens to contact.
The AP fined Locatefamily.com €525,000 for failing to appoint a representative. The company then had until March 18, 2021 to designate a representative in the EU. In addition to the fine, the AP imposed an additional order requiring Locatefamily.com to appoint a representative by 18 March 2021. There is an additional penalty of €20,000 for every 2 weeks of default subject to a maximum of €120,000.
Lessons to be Learnt
Looking at the fine it surely exceeds the 2% of turnover which is the maximum that regulators would otherwise impose for not appointing a representative. But the fine reflects that Locatefamily’s core activities are from a GDPR perspective high risk and ignore the GDPR’s guiding principles of transparency and accountability. If Locatefamily had been, other than not having appointed a GDPR representative, GDPR compliant, then the fine would have been less or would have as a first response triggered enforcement action.
The key takeaway from this example is has an EU Representative been appointed is now on EU Regulators’ radar. This fine cannot be typical but reviewing whether the appointment has been made will be.
Appointing a Representative
If a UK company’s data profile meet the threshold then the decision to appoint is simple. For those companies who have reviewed this; and on balance the decision is not to appoint; a record as to why not has to shown to regulators. The guidance is not clear as to who should appoint, for example any company that offers social network functionality or CCTV is likely to have to appoint a representative.
The Representative has to be based in an EU member state where the UK Company’s EU consumers live and will therefore deal with its local regulator. How aligned to the UK’s regulator; the ICO; is the EU regulator?
For many UK businesses Ireland will be the obvious choice.
If the appointment is considered a tick box exercise with price being the sole determinant, then this is likely cause problems downstream. The representative must have an understanding of the data that the UK company processes.
If the representative performs its functions poorly then:
- the UK company will have reputational problems with its EU customers who will encounter problems when exercising their rights.
- if the EU Regulators pursue the representative then that may cause further reputational issues;
- if the representative is negligent then the ICO; is likely to be aware of this and scrutinise the compliance regime of the appointing company
The best advice is to look at this appointment for what it is. The representative is an extension of the UK company’s brand and deals with the UK company’s customers with limited oversight from the UK company. Any UK company considering appointing must look carefully at the bona fides of the representative and document:
- What documented due diligence was conducted prior to appointment?
- Does the representative have the experience of dealing with regulators?
- Is there insurance cover?
- Is there a contract in place that allows the UK company to recover losses if the representative is negligent.
The appointment has to be in writing and both parties are best placed to work out set out how liability is apportioned at the outset.
The Representative needs to have a record of the UK Company “data processing activities”.
The EU regulators now have a precedent where the failure to appoint will be met by a fine which increases if the appointment is not quickly made. A proportion of this €525,000 fine will reflect the failure to appoint and most of the fine reflects the other GDPR breaches. The GDPR empowers data subjects to hold data controllers accountable and EU regulators clearly regard having a representative appointed as an important tool for EU citizens to use to hold UK companies to account.