Two recent decisions from the Dutch and Spanish data protection authorities underscored the urgency of companies appointing a data protection representative for their EU operations. The absence of such a role could be considered a violation of the General Data Protection Regulation (GDPR) and result in significant monetary penalties.
The decision from the Spanish data protection authority (AEPD) in May imposed a fine of €500,000 for failing to implement technical and organizational measures and obtain consent when acting through a representative, in violation of Article 25 of the GDPR – its "privacy by design" provision. The regulator considered the client-representative practices to be “particularly risky” in this case. The AEPD held that the Portuguese utilities company EDP Group did not properly verify that representatives working on behalf of its clients, such as resellers, represented the clients and that they rarely asked for documentation.
Similarly, a Canadian website was fined €525,000 by the Dutch Data Protection Authority (DPA) for a breach of the same provision. The agency found that people were not able to remove their private information from the website as the company did not provide an EU representative. In addition to the original fine, the company was ordered to pay an extra €20,000 for each two-week period while it fails to appoint a representative, up to a maximum of €120,000.
Companies operating in the region need to be aware of these decisions and ensure that they place data protection representatives in the EU. Companies operating in the UK are also advised to have a representative, as the UK’s data protection laws closely mirror the GDPR.