Appointing an EU GDPR representative is essential for non-EU companies processing EU residents’ data, as it ensures compliance with GDPR regulations. Your representative acts as a contact point for EU authorities and individuals, facilitating communication and legal obligations related to data protection. This appointment is not just a regulatory formality; it demonstrates a commitment to upholding the privacy and rights of EU data subjects and helps avoid potential legal and financial penalties for non-compliance with the GDPR’s stringent data privacy standards.
Some businesses continue to operate under the assumption that fines for GDPR non-compliance are only levied on large, multi-national organisations. However, as the following two examples demonstrate, this is certainly not always the case.
Locatefamily.com – €525,000 for failing to appoint an EU representative
Locatefamily.com was fined €525,000 in 2021 by the Dutch Data Protection Authority (DPA) for not having a representative in the EU. The website publishes people’s addresses and phone numbers without their knowledge, and anyone who wants to have their details removed from the site cannot do so easily. Following the issue of the fine, the company was given until March 18, 2021, to appoint a representative, with failure to do so resulting in a further €20,000 for every two weeks up to a maximum of €120,000.
Clearview AI – €600,000 for failing to appoint an EU representative
Clearview AI was fined €20 million by the French data protection regulator, CNIL, for violating GDPR rules. The company was ordered to stop collecting and using data on individuals in France without a legal basis and to delete the data already collected. The fine was imposed after Clearview AI failed to comply with a formal notice issued by the CNIL. The company was also fined €600,000 in Italy for failing to appoint a GDPR Article 27 representative. Clearview AI has been fined by several other regional data protection authorities, including the UK’s Information Commissioner’s Office, for using images of people in the UK and elsewhere that were collected from the web and social media to create a global online database that could be used for facial recognition.
Do you hold data on EU subjects without a representative in the EU?
If so, you are in breach of the GDPR and potentially at risk of a substantial fine. Article 27 of the GDPR deals with the obligation of non-EU establishments to designate a representative within the European Union, and it’s vital that your company is compliant with it. Assigning an EU or UK representative for your business is a straightforward process and we’ll be happy to talk you through it. Schedule a free call with us and we will explain what’s involved in more detail.