Locate Family fined for not appointing a representative Summary Our remarks Locatefamily.com is a non-EU based organization which • According to GDPR, Article 3(2), a data controller offers a platform enabling users to find the contact not established in the EU is subject to GDPR if they information of individuals they have lost contact with. offer goods or services to data subjects within the EU. The Dutch DPA received several complaints about Locatefamily.com for failing to respond to requests for • If a controller offers services through a website erasure by data subjects. Without their knowledge, the aimed at European residents, they must comply website disclosed personal data of roughly 700,000 with GDPR, Article 3(2) and appoint an EU Dutch people. representative. The decision of the Dutch DPA • The precise criteria for determining when goods or service are “offered to data subjects in the Union” The Dutch DPA found that the processing was within remains unclear. The mere fact of having a website the scope of the GDPR and decided to impose an or app that is available for data subjects in the EU administrative fine of 525,000 EUR on Locatefamily.com does not necessarily trigger GDPR, Article 3(2). for failing to appoint an EU representative (GDPR, Article 27(1) Pursuant to Article 3(2)(a)). • In the present case, the Dutch DPA probably found that Locatefamily fell under the GDPR because it disclosed information about a large number of European citizens and therefore should have foreseen that their service would be used by Europeans seeking to locate other Europeans. • Factors that support the conclusion that goods and services are offered to data subjects in the EU include: ° If the company uses marketing directed at EU citizens ° If the company has its website in European languages other than English ° If the company sell goods or services intended for European customers, such as travel services. Published: 14-01-2022, Journal number: N/A Tags: 03 Right to erasure and rectification Published: 10-12-2020, Journal number: n/a Tags: 07 Scope of the GDPR 25