Earlier this month, a company based outside of the EU, Locatefamily.com, was fined €525,000 for failing to appoint a Data Protection Representative (DPR). This highlights the importance of not overlooking one of the biggest changes to affect companies post-Brexit.
Not to be confused with a Data Protection Officer (appointment of which is only mandatory for certain companies processing large volumes of personal data), under the EU General Data Protection Regulation (GDPR), a company must appoint a DPR where:
• it is offering goods and services to, or monitoring the behaviour of, data subjects based in the European Economic Area (EEA); and
• it does not have a branch, office or establishment within the EEA; and
• the processing in question is not occasional or low risk (i.e. sensitive personal data is not involved).
Note that public authorities are exempt from this requirement.
The DPR must be established in the EEA, in the country where the majority of data subjects are based. They act as a point of contact for lead supervisory authorities and data subjects.
This means that post-Brexit, where a company is based only in the UK but processes the personal data of individuals based in the EEA or offers services to them, it will be mandatory for them to appoint a DPR. The same applies for companies based elsewhere in the world too, for example in the US. Conversely, companies that have an office in the EEA will not need to take further action.
Under the new ‘UK GDPR’, which for the most part mirrors the EU GDPR, the same requirement applies, so companies based outside of the UK offering goods and services to, or processing the personal data of UK data subjects, must appoint a DPR in the UK.
In the case of Locatefamily.com, they were fined by the Netherlands supervisory authority (the Autoriteit Persoonsgegevens) after their website was found to hold the personal data of 700,000 Netherlands-based data subjects, much of which without the knowledge of the data subject. Despite this evident processing of personal data of EEA-based data subjects, Locatefamily.com did not have a DPR, contrary to the GDPR. In addition to the fine, the company was ordered to appoint a DPR and for every 2 weeks in which they failed to do this, an additional penalty of €20,000 would be imposed.
The requirements of the DPR are as follows:
• they must be appointed in writing to act on your behalf;
• they must be named in your privacy notice as a clear point of contact;
• they have a duty to act on your behalf before applicable supervisory authorities; and
• they will forward any communications to you promptly from supervisory authorities and data subjects.
As the UK supervisory authority, the ICO, has said recently, “good data protection is an investment”. It shows your customers, employees and business partners that you take the protection of their personal data seriously and helps to instil trust, as well of course as helping you to avoid hefty fines. The reputational damage to a business of a fine from supervisory authorities for non-compliance with applicable laws is simply not worth the risk.
If you require further advice on this topic, or in relation to data protection compliance generally, please get in touch.
Madeleine Rhodes email: firstname.lastname@example.org