Businesses operating outside the borders of the European Union could easily shrug when GDPR entered into force, saying they were not subject to the strict rules and therefore did not have to fear significant fines. However, the General Data Protection Regulation applies not only to entities established within the Union, but also to companies that provide their services in this market. That is why the GDPR itself requires third-country organizations to designate a contact person in the concerned Member State. Entities that fail to comply with this obligation may be obliged to pay 2% of their annual revenue for violating the rule.
In the absence of a similar penalty in the past, the Dutch data protection authority, as a pioneer, imposed a fine of 525 thousand euros (approximately 185 million forints) against the Canadian company Locate Family. The corporation provides an online platform for anyone to search (and, where appropriate, obtain information from public or social sites) if they want to find loved ones, acquaintances, or even the location of a cell phone. The business did not have an EU registered office, but its activities could also be used by EU citizens, or their data could be obtained from by Locate Family. The Dutch authority found that without the appointment of an EU representative, EU citizens using the service could not, or only with difficulty, remove their data from the company’s website. Emphasizing the gravity of the infringement, the authority fined the corporation an additional € 20,000 every fortnight until the delegate was appointed.
Multinational companies are likely to have subsidiaries, including a representative, within the Union, which reduce the risk of such a breach. However, the territorial scope of GDPR also applies to small and medium-sized enterprises, for whom it poses a significant financial risk if they fail to take the necessary steps. Thus, we summarize below what to keep in mind when an entity has cross-border activities.
(1) Recipients and definition of the activity
If the organization does not have an establishment in the European Union, but
– controls the personal data of EU data subjects and the data controlling is related to
- offering goods or services or
- monitoring the behavior of individuals within the European Union,
the entity falls under GDPR.
(2) The Obligation to Designate a Representative
If the above criteria are all met, the business must designate a representative in writing to act on behalf or in favor of the principal in all matters relating to data controlling. In certain cases, the obligation to appoint a delegate is not a must. As an example, if the processing is occasional and does not include special categories of data and is unlikely to result in a risk, or it is performed by public authorities or bodies, no appointment is required.
The Canadian case highlights that failure to comply with a less known obligation can also lead to high data protection penalties, even though, with the above considerations in mind, the risk can be minimized or even ensured by using a service provider.