UK businesses have been warned they could face severe penalties if they process data on EU citizens without appointing a representative based in the bloc, following a €525,000 fine slapped on a Canadian company for non-compliance.
GDPR sets out obligations for organisations that do not have a presence in the EU but that process data on EU subjects, including that they appoint an EU-based representative.
The measures still apply even if countries have an adequacy deal with Brussels, as Canada does, and, following Brexit, the UK is set to gain adequacy, too.
But Dutch data protection regulator Autoriteit Persoonsgegevens found that Canadian firm LocateFamily.com did not have such a representative. The firm, which helps people locate friends they have lost contact with, was found to be in breach GDPR following complaints that information was being published without customers’ consent.
The regulator has also ordered the firm to pay an additional €20,000 for each two-week period that passes without the fine being settled.
And Pinsent Masons partner Wouter Seinen claims the fine should serve as a warning to UK companies who have not yet appointed EU data protection representatives, but whose activities will likely fall under EU GDPR once the Brexit agreements have been finalised.
In a blog post Seinen writes: “Due to the binary nature of the data rep requirement, it is quite easy for a regulator to establish that an organisation is in breach, whilst it is almost impossible to find an excuse for not having met this requirement.
“This is why this topic should be higher on the risk radar of non-European businesses – in particular operators of apps and websites.”
UK business groups hailed the European Commission’s draft data adequacy agreements which, once approved, will allow the continued free flow of data between British and EU firms, insisting “data will be vital to fueling the next wave of business innovation and driving transformation in our society”.
But there are no figures on how many UK businesses have yet to appoint an EU data protection representative – or indeed how many need to.
Related stories
UK firms express relief as EU data transfer deal looms
New blitz to combat £2bn data science skills shortage
Brits demand trade deals don’t water down data laws
UK industry chiefs call for ‘precious’ Brexit data deal
Japan data deal better than EU agreement, Truss insists
