Earlier this month the Dutch Data Protection Authority (DPA) fined Canadian company, Locatefamily.com, €525,000 for failure to appoint an EU representative where it was required to do so. This enforcement further underlines the need for UK businesses to consider whether they need to appoint an EU representative and to take immediate action where they haven't yet appointed a representative.
Under the GDPR, if your organisation is based in the UK and does not have an office or establishment in any EU or EEA country, but 1) offers goods or services to individuals in the EEA or 2) monitors the behaviour of individuals in the EEA, then it will need to appoint an EU representative. If you don't, you may face a significant fine as this case demonstrates.
Whilst there are exceptions to this requirement, it is crucial that UK businesses assess whether they need to make such appointment. Following this latest fine, several commentators have suggested that this should be further up UK businesses' list of priorities as part of their post-Brexit compliance.
The EU representative must be established in one of the EEA countries where individuals subject to the processing are located. The representative can be an individual or an organisation, providing they are capable of representing the business regarding its obligations under the GDPR. Businesses can appoint an existing employee (providing they can meet the requirements) or outsource this to a third party services company. Whatever approach you take, its clear that organisations should get up to speed with the requirements quickly in order to ensure they're meeting their obligations and avoid the risk of significant fines.
Dutch DPA imposes fine of €525,000 on Locatefamily.com