AP - locatefamily.com

From GDPRhub
AP - locatefamily.com
LogoNL.png
Authority: AP (The Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 27(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 10.12.2020
Published: 12.05.2021
Fine: 525000 EUR
Parties: locatefamily.com
National Case Number/Name: locatefamily.com
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Autoriteit Persoonsgegevens (in NL)
Initial Contributor: n/a

The Dutch DPA fined a Canada-based controller €525,000 for not appointing an EU representative despite offering services to individuals within the EU.

English Summary[edit | edit source]

Facts[edit | edit source]

Locatefamily.com is an organisation established outside of the European Union (EU) that with its website 'Locatefamily.com' offers a platform on which anyone can search for contact details of friends and family they have lost track of.

The AP stated that it received 19 complaints between 25 May 2018 and 25 July 2019 from individuals who had not registered with Locatefamily.com, but whose information, including full addresses and sometimes telephone numbers, had appeared on the website without their knowledge. The complaints concerned the failure of Locatefamily.com to respond to requests for erasure, and the lack of an official EU representative.

On 18 July 2018 the AP sent a request for mutual assistance under Article 61 GDPR to other EU DPAs, asking whether they had received similar complaints on Locatefamily.com. Ten DPAs responded confirming that they had, and the AP initiated an ex officio investigation into Locatefamily.com regarding a potential violation of Article 27 GDPR.

The dispute regarded whether it is necessary for locatefamily.com to appoint a representative in the European Union. Locatefamily.com argued it was not, as it has no office or representatives in the EU, and does not offer goods and services to the EU, preventing the application of the GDPR under Article 3.

Holding[edit | edit source]

The AP fined Locatefamily.com €525,000 for not appointing an EU representative. It further required Locatefamily.com to pay an exrta €20,000 for each two-week period it failed to appoint an EU representative, up to a maximum of €120,000.

The AP underlined that its investigation, which was carried out in collaboration with other EU supervisory authorities, revealed that locatefamily.com offered its services both in the Netherlands and in eight other EU countries. In accordance with Article 3(2) GDPR, Locatefamily.com's processing activities fell within the GDPRs territorial scope, and it was obliged to appoint an EU representative with whom EU citizens could exercise their privacy rights.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Subject 
Decision to impose an administrative fine and order subject to a penalty

Dear Madam/Sir,

The Dutch Personal Data Authority (AP) has decided to impose an administrative fine of €525,000 on Locatefamily.com, because in the period from 25 May 2018 until today Locatefamily.com has not complied with the obligation to designate in writing a representative in the European Union (EU). Locatefamily.com has thereby violated article 27, paragraph 1, in conjunction with article 3, paragraph 2, of the General Data Protection Regulation (AVG).

The AP has also decided to impose an order under penalty clause on Locatefamily.com, which is aimed at restoring this ongoing infringement. To do so Locatefamily.com has to comply with the obligation as set out in article 27 of the AVG within twelve weeks after the date of and with due observance of this decision and appoint a representative in writing in the EU. If Locatefamily.com does not comply within this period Locatefamily.com forfeits a penalty of €20,000 for every fortnight after expiry of the period of grace, to a maximum amount of in total €120,000.

The decision is explained below. Chapter 1 contains the relevant facts and the course of the proceedings. Chapter 2 describes the legal framework. Chapter 3 contains the assessment of the AP, after which chapter 4 gives reasons for the amount of the administrative fine. Chapter 5 contains the order subject to a penalty. Finally, chapter 6 contains the operative part and the legal remedies clause.

1. Facts and procedural history

Locatefamily.com is an organisation established outside of the European Union (EU) that with its website 'Locatefamily.com' offers a platform on which anyone can search for contact details of friends and family they have lost track of.

As the AP does not have a branch address of Locatefamily.com, communication with Locatefamily.com was only via email.

In the investigation period from 25 May 2018 to 25 July 2019, the AP received nineteen complaints regarding Locatefamily.com. The complaints concern the failure to (adequately) respond to requests to erase personal data of data subjects and the lack of a branch office or representative of Locatefamily.com within the EU.

In response to the complaints received, the AP sent a request for information to Locatefamily.com by email on 26 June 2018, to which Locatefamily.com responded by email on 2 July 2018.

On 9 July 2018, the AP sent a second request for information to Locatefamily.com by email, to which Locatefamily.com responded by email on 19 July 2018.

On 18 July 2018, the AP sent a request for mutual assistance under Article 61 of the AVG to fellow supervisors within the EU, asking whether they have received any complaints or signals regarding Locatefamily.com and whether there is an establishment or representative of Locatefamily.com in the relevant country. In early September 2018, ten EU regulators responded to the request of 18 July 2018.5 A number of countries also confirmed having received complaints about Locatefamily.com.

Following an increase in the number of complaints about Locatefamily.com both in the Netherlands and in other EU Member States, the AP launched an ex officio investigation into Locatefamily.com in late December 2018 regarding a suspected breach of Article 27 of the AVG, pursuant to which the controller or processor must designate in writing a representative in the EU.

In March 2019, the AP conducted a technical investigation which revealed Canada as a possible place of business for Locatefamily.com.6 Thereafter, the AP initiated international cooperation through the Enforcement subgroup of the European Data Protection Board (EDPB).

On 19 March 2019, a conference call of this collaborative group of a total of nine European regulators took place, chaired by the AP.

On 25 March 2019, on behalf of the collaborating European regulators, the AP sent a letter to the Office of the Privacy Commissioner of Canada, requesting information regarding Locatefamily.com.

As the business address of Locatefamily.com remained unknown for the time being, it was subsequently agreed by the Irish, French and Dutch regulators to address national complaints submitted regarding data erasure requests to Locatefamily.com.

On 8 April 2019, the AP provided Locatefamily.com by email with an overview of the complaints it had received regarding Locatefamily.com's handling of data erasure requests, highlighting Locatefamily.com's obligations under the AVG.

By emails dated 10 April 2019 and 27 July 2019, Locatefamily.com notified the AP about deletion of personal data from its website.10 The request was largely honoured by Locatefamily.com in all three countries (Ireland, France, and the Netherlands).

On 28 May 2019, the Privacy Commissioner of Canada notified the AP that it was working on the AP's 25 March 2019 request.

On 22 July 2019, the AP sent a third request for information to Locatefamily.com by email.

When asked in this email of 22 July 2019 for an address of Locatefamily.com or of a representative in the EU, the AP did not receive a response from Locatefamily.com.

The findings of the investigation by the AP are contained in the report 'Locatefamily.com on lack of legal representative within the EU', adopted on 25 July 2019 (hereinafter: investigation report). 

On 24 February 2020, the AP sent an intention to enforce to Locatefamily.com via digital dispatch13 together with the aforementioned investigation report and the underlying documentation, whereby Locatefamily.com was also given the opportunity to submit a view by 23 March 2020. To date Locatefamily.com has not used this opportunity.

Based on the Report of Findings and the underlying documentation the AP finds the following relevant facts.

Locatefamily.com

Locatefamily.com's website offers a platform for anyone who is looking for contact information of friends they have lost sight of by providing the so-called NAW-data, name, address, place of residence and sometimes phone number of those involved. Locatefamily.com offers this information to any interested party free of charge. The website is publicly accessible and contains data of both EU and non-EU residents.14 Locatefamily.com compiles the data without the data subjects having to become members of the platform or having to create an account.15 Research conducted by the AP together with its European counterparts has shown that Locatefamily.com has offered its services in the Netherlands as well as in eight other EU countries. Several EU regulators have confirmed that complaints regarding Locatefamily.com have been submitted by data subjects from the relevant countries.

Place of business/representation

On the website of Locatefamily.com neither a privacy contact nor a business address and/or representative office can be found.

In response to the AP's question to Locatefamily.com whether it has a representative or a branch office
in the EU,17 Locatefamily.com stated the following on 2 July 2018:

"LocateFamiÏy.com is not located in the European Union and does not have any business relationships in the European Union. We do not have an office or a representative in the European Union. LocateFamily.com does not offer goods or services to the European Union.

We are available to respond to any questions you may have regarding the complaints you mention. If you provide us with the names of the individuals and or their e-mail addresses we can provide you with a report that indicates when the removal request was received and when the information was removed."

When asked by the AP where Locatefamily.com's head office is located, it posted the following on 19 July 2018: 19

"As we have already explained in our previous email, we have no business relationships in the European Union, and we do not have an office or a representative in the European Union. We also do not offer goods or services to the European Union.

To be clear we are not situated in any country of the European Union.

We respect the wishes of people who want their address information removed from the web site, and the information is removed within a few days, regardless of which country the individual resides in. Consequentl we are puzzled as to why you would need to know where we are situated."

Furthermore, European regulators have indicated that no branch or representative of Locatefamily.com has been found in the relevant country where those regulators are located.

Technical research performed by the AP with respect to the webhost of the Locatefamily.com website showed that Locatefamily.com might be located in Canada.20 International cooperation with fellow supervisors showed that a representative of Locatefamily.com was missing in the EU and that the number of complaints was increasing both in the Netherlands and in other EU Member States.

The subsequent request of 25 March 2019 by the AP, on behalf of the cooperating European regulators, to the Privacy Commissioner of Canada22 to find out who the contracting party of the web host of the Locatefamily.com website is, in order to be able to trace the business address of Locatefamily.com, has so far not yielded any concrete indications about the business location of Locatefamily.com.

Consultation by the AP of the trade register of the Chamber of Commerce in the Netherlands has not yielded any results regarding Locatefamily.com.23 The other EU regulators have conducted a similar desk search and have not found a registration of Locatefamily.com or a representative of Locatefamily.com either. The European justice portal (E-Justice portal)24 also does not contain any information on an establishment and/or representative of Locatefamily.com in the EU.

Complaints

In the investigation period from 25 May 2018 to 25 July 2019, the AP received nineteen complaints regarding Locatefamily.com. Investigations by fellow European regulators have shown that complaints have also been made in other EU Member States by data subjects from the relevant countries regarding the Locatefamily.com website.

2. Legal framework

2.1 Scope of the AVG

Pursuant to Article 2, first paragraph, of the AVG, this Regulation applies to the processing of personal data wholly or partly by automatic means, as well as to the processing of personal data which are contained in a file or which are intended to be included in a file.

Pursuant to Article 3, paragraph 1, of the AVG, this Regulation applies to the processing of personal data in connection with the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Pursuant to Article 3(2) of the AVG, this Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing is related to:

(a) the offering of goods or services to such data subjects in the Union, regardless of whether a payment is required by the data subjects; or

(b) monitoring their behaviour, insofar as this behaviour occurs in the Union.

Pursuant to Article 4 of the AVG, the following definitions shall apply:

(1) "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, [...].

2) "Processing" means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; [...].

(7) 'controller' means a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member State law, the latter may determine who the controller is or the criteria for his nomination; [...].

(8) "processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

(17) 'representative' means a natural or legal person established in the Union who has been appointed in writing by the controller or processor pursuant to Article 27 to represent the controller or processor in connection with their respective obligations under this Regulation.

2.2 Representatives of controllers not established in the Union

Article 27 of the AVG provides the following:

1. Where Article 3(2) applies, the controller or processor shall designate in writing a representative in the Union.

2. The obligation contained in paragraph 1 of this Article shall not apply to:

(a) incidental processing not involving large-scale processing of special categories of personal data referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, which is unlikely to present a risk to the rights and freedoms of natural persons, taking into account the nature, context, extent and purposes of the processing; or

(b) a public authority or a public body.

3. The representative shall be established in one of the Member States where the data subjects whose personal data are processed in connection with the supply of goods or services to them or whose behaviour is observed are located.

4. In order to ensure compliance with this Regulation, the representative shall be authorised by the controller or processor to be contacted by the controller or processor in addition or instead of him/her, in particular by the supervisory authorities and data subjects, on all matters relating to the processing.

5. The appointment of a representative by the controller or the processor shall be without prejudice to the possibility of bringing proceedings against the controller or the processor themselves.

3. Assessment

3.1 Processing of personal data

As mentioned before, Locatefamily.com offers a platform on which everyone can search for contact details of friends they have lost sight of and registers the data of many people involved on its website. This concerns name and address details and sometimes telephone numbers, which are visible to any interested party.

Directly identifying data are data that relate to a person whose identity can be unequivocally established without much ado. Directly identifying data are data such as name, address and date of birth which, when combined, are so unique and therefore characteristic of a certain person that he/she can be identified with certainty or with a high degree of probability in a broad sense. Such data are also used in society to distinguish individuals.

Name, address and place of residence data make data subjects directly identifiable and therefore qualify as personal data within the meaning of Article 4, opening words and (1) of the AVG.

Based on Article 2, paragraph 1 and Article 3, paragraph 2, of the AVG, the AVG applies to the processing, by a controller or processor not established in the Union, of personal data of data subjects located in the Union, in whole or in part, when the processing is related to the offering of goods or services to these data subjects in the Union.

The registration, digital storage and making available of these personal data via its website Locatefamily.com involves the automated processing of personal data.

The AP concludes that there is processing of personal data to which the AVG applies according to the aforementioned provisions. 

3.2 Controller

In the context of the question who is or are to be regarded as the data controller(s) within the meaning of Article 4, opening words and under 7 of the AVG, the determining factor is who determines the purpose of and the means for processing personal data.

The Privacy Policy of Locatefamily.com states the following:

"LocateFamily.com does not redistribute information, email addresses, or information obtained from communications with individuals regarding LocateFamily.com, to any third parties. Information displayed on LocateFamily.com is collected and maintained by LocateFamily.com for sole use by LocateFamily.com."

Also, Locatefamily.com states on its website:

"LocateFamily.com updates its database on a regular basis to ensure that the information displayed continues to be valid." [...] "LocateFamily.com makes the information in its pages available as is and does not warrant the veracity of the information. The sole intent of making the data available is purely for informational purposes."
[...].

"Information displayed on LocateFamily.com is property of LocateFamily.com and its interests."

Locatefamily.com is, according to this Privacy Policy and explanation on its website, a data controller. Thus Locatefamily.com determines what the data is used for, who can receive the personal data and if they provide personal data to third parties outside the European Union.

Processing of personal data by Locatefamily.com takes place with the purpose of making it available to anyone who is looking for a certain person who has lost track of him or her. This service is offered free of charge for family reunions, school reunions and the like. The means for processing personal data in this case is the registration of personal data on the website of Locatefamily.com.

Furthermore it is of importance that Locatefamily.com, in response to the notice of the AP concerning the complaints about the handling of requests for removal, has as yet complied with these requests and has proceeded to remove the personal data of the persons concerned from its website.

In view of the above, Locatefamily.com has control over how the rights of data subjects and the processing of personal data of data subjects are handled and determines the purposes and means of this processing.

Locatefamily.com therefore qualifies as a controller in the sense of Article 4, opening words and under 7, of the AVG.

3.3 Violation regarding the appointment of a representative

Pursuant to Article 27(1), the controller, or the processor where Article 3(2) of the AVG applies, shall appoint a representative in the Union in writing.

In this case, it concerns the processing of personal data of data subjects who are located in the EU. When opening the website of Locatefamily.com name, address and residence data of persons within and incidentally also outside the EU are shown. These personal data of EU residents are processed by Locatefamily.com to offer services through the website like family reunions, school reunions etcetera. It appeared that these services are also aimed at EU residents and are offered in several EU countries. 

Furthermore, the investigation by the AP in cooperation with fellow European regulators has shown that no branch or representative of Locatefamily.com has been found in the relevant EU Member State. Consultation of the trade register of the Chamber of Commerce in the Netherlands by the AP did not yield any results regarding Locatefamily.com.32 The other EU regulators conducted a similar desk search and did not find a registration of Locatefamily.com or a representative of Locatefamily.com either. Consultation of the European justice portal (E-Justice portal) did not find a branch and/or representative in the EU either. On the website of Locatefamily.com neither a privacy contact nor a branch and/or representative address can be found.

Based on the research findings it can be concluded that in the case of Locatefamily.com there is a data controller not established in the EU. Furthermore, it has become apparent that a representative as defined in Article 4, opening words and under 17, of the AVG has not been appointed in the EU as required by Article 27, paragraph 1, of the AVG. Locatefamily.com has also confirmed this to the AP. In response to the AP's question to Locatefamily.com on 26 June 2018 as to whether it has a representative or an establishment in the EU, Locatefamily.com indicated on 2 July 2018 that it is not established in the EU nor does it have an office or representative in the EU.

With the applicability of Article 3(2) of the AVG, the obligation under Article 27(1) of the AVG to appoint a representative in the EU is given, unless one of the two exceptions of Article 27(2) of the AVG applies.

These exceptions do not occur in the case of Locatefamily.com. The investigation findings have shown that there is no question of incidental processing, nor of a situation in which the data controller is a government agency or a government body.

Based on the above, the AP concludes that Locatefamily.com, as a controller established outside the EU, acted in violation of Article 27, first paragraph, in conjunction with Article 3, second paragraph, of the AVG, by failing to appoint a representative in the EU in writing.

3.4 Conclusion
In view of the foregoing, the AP considers that Locatefamily.com has violated Article 27(1) of the AVG, read in conjunction with Article 3(2) of the AVG, as it has not complied with the obligation to designate in writing a representative as defined in Article 4, introductory paragraph, and (17) of the AVG, in the EU during the period from 25 May 2018 to the present. The breach continues today.

4. Penalty

4.1 Introduction

In view of the violation established above, the AP has reason to make use of its authority under Article 58, second paragraph, opening words and under (i), in conjunction with Article 83, fourth paragraph, opening words and under (a) of the AVG and Article 14, third paragraph, of the UAVG, to impose a fine on Locatefamily.com. The AP uses the Penalty Policy Rules 2019 for this purpose.

Pursuant to Article 83(4)(a) of the AVG, breaches of Article 27 of the AVG are subject to administrative fines of up to €10,000,000 or, for an undertaking, up to 2% of the total worldwide annual turnover in the preceding financial year, whichever is higher, in accordance with paragraph 2.

4.2 The Authority for the Protection of Individuals with regard to the Processing of Personal Data (Penalty Policy Rules 2019)

The AP has adopted Fines Policy Rules 2019 on the interpretation of the aforementioned power to impose an administrative fine, including the determination of its amount.

Pursuant to Article 2, under 2.1, of the Penalty Policy Rules 2019, the provisions in respect of which the AP may impose an administrative penalty of up to the amount of €10,000,000 [...] are classified in Annex 1 in category I, category II or category III. In Annex 1, the violation of Article 27(1) of the AVG is classified as category III.

Pursuant to Article 2.3 of the 2019 Penalty Policy Rules, the AP sets the basic fine for violations subject to a statutory maximum fine of €10,000,000 [...] within the ranges of fines set out in that Article. For violations in category III of Annex 1 of the 2019 Fines Policy, a range of fines between €300,000 and €750,000 and a basic fine of €525,000 applies.

Pursuant to Article 6 of the 2019 Fine Policy Rules, the AP determines the amount of the fine by adjusting the amount of the basic fine upwards (up to the maximum of the bandwidth of the fine category linked to a violation) or downwards (up to the lowest of the minimum of that bandwidth). The basic fine is increased or decreased depending on the extent to which the factors listed in Article 7 of the 2019 Fines Policy give rise to this. 

Pursuant to Article 7 of the 2019 Policy Rules on Fines, the AP, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act (Awb), will take into account the following factors derived from Article 83(2) of the AVG, referred to in the Policy Rules under a through k:

a. the nature, seriousness and duration of the breach, taking into account the nature, scope or purpose of the processing in question, as well as the number of data subjects affected and the extent of the damage suffered by them;

b. the intentional or negligent nature of the breach;

c. the measures taken by the data controller [...] to limit the damage suffered by the data subjects;

d. the degree to which the data controller [...] is responsible in view of the technical and organisational measures which it has implemented in accordance with Articles 25 and 32 of the AVG

e. previous relevant breaches by the controller [...];

f. the degree of cooperation with the supervisory authority to remedy the breach and limit its possible negative consequences

g. the categories of personal data affected by the breach

h. the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller [...] notified the breach;

i. compliance with the measures referred to in Article 58(2) of the AVG, insofar as these were previously taken in respect of the controller [...] in question in relation to the same matter;

j. adherence to approved codes of conduct pursuant to Article 40 of the AVG or to approved certification mechanisms pursuant to Article 42 of the AVG; and

k. any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains made or losses avoided, whether or not directly resulting from the breach.
Under Article 8.1 of the 2019 Penalty Policy Rules, if the penalty category determined for the violation does not allow for appropriate punishment in the particular case, the AP may apply the penalty band of the next higher category or the penalty band of the next lower category when determining the amount of the penalty.

Pursuant to Article 9 of the Penalty Policy Rules 2019, in determining the fine, the AP will, if necessary, take into account the financial circumstances of the offender. In case of reduced or insufficient financial capacity of the offender, the AP may further mitigate the fine to be imposed if, after application of Article 8.1 of the policy rules, adoption of a fine within the range of fines of the next lower category would nevertheless, in its opinion, result in a disproportionately high fine.

4.3 Level of the fine

According to the AP, in this case the following factors, in particular, as referred to in Article 7, are relevant for determining the amount of the fine:

a. The nature, seriousness and duration of the infringement;

b. the intentional or negligent nature of the breach (culpability)

c. the measures taken by the controller or processor to mitigate the damage suffered by the data subjects.

4.3.1 Nature, seriousness and duration of the breach

Pursuant to Article 7, opening words and under a, of the Penalty Policy Rules 2019, the AP takes into account the nature, seriousness and duration of the breach. In assessing this, the AP takes into account, among other things, the number of data subjects affected and the extent of the damage suffered by them.

The protection of natural persons in the processing of personal data is a fundamental right. Under Article 8(1) of the Charter and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the protection of personal data concerning them. The principles and rules on the protection of natural persons with regard to the processing of their personal data must comply with their fundamental rights and freedoms, and in particular their right to the protection of personal data. The AVG aims to contribute to the establishment of an area of freedom, security and justice and of an economic union, as well as to economic and social progress, the strengthening and the convergence of the economies within the internal market, and the well-being of natural persons. The processing of personal data should be for the benefit of human beings. The right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced with other fundamental rights in accordance with the principle of proportionality. Any processing of personal data must be done properly and lawfully. It should be transparent for individuals that their personal data are being collected, used, accessed or otherwise processed and the extent to which the personal data are being or will be processed.

Where a controller or processor not established in the Union processes personal data of data subjects who are in the Union, and the processing relates to the offering of goods or services - whether or not a payment is required by the data subjects - to those data subjects who are in the Union, or to the monitoring of their behaviour in the Union, the controller or processor should designate a representative, unless the processing is incidental, does not involve the processing of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and in view of its nature, context, scale and processing purposes is not likely to pose a risk to the rights and freedoms of natural persons, or unless the controller is a public authority or body.
At least since 25 May 2018, Locatefamily.com has not complied with its obligation to appoint a representative in writing in the EU. In the investigation period from 25 May 2018 to 25 July 2019, the AP received nineteen complaints regarding Locatefamily.com. These complaints concern the failure to comply with data erasure requests by data subjects and the lack of an establishment or representative of Locatefamily.com in the EU. It has been established that similar complaints have also been received by other EU Member States regarding Locatefamily.com. This underlines the importance of having a representative in the EU who acts on behalf of the controller with regard to its obligations under the AVG. It is of fundamental importance for debating the rights of data subjects, as laid down in the AVG, that also data controllers established outside the EU and offering services in the EU are in practice accessible to both data subjects and the supervisory authorities on all processing-related matters. In fact, data subjects in the EU lack a single point of contact to which they can turn if they want to exercise their rights under the AVG. Also in view of the number of data subjects affected and the duration of the violation, the AP is of the opinion that this is a serious violation.

The AP sees no reason to increase or decrease the basic amount of the fine pursuant to Article 7(a) of the 2019 Fines Policy.

4.3.2 Intentional or negligent nature of the breach (culpability)

Pursuant to Section 5:46(2) of the Awb, when imposing an administrative fine, the AP takes into account the extent to which the offender can be blamed. Pursuant to Article 7(b) of the Penalty Policy Rules 2019, the AP takes into account the intentional or negligent nature of the infringement. Since this is a violation, in accordance with established case law35 , the imposition of an administrative fine does not require proof of intent and the AP may assume culpability if culpability is established.

There are no circumstances that would lead to the conclusion that there is no obligation for Locatefamily.com to appoint a representative in the EU. With respect to the knowledge that an addressee of a standard - in this case Locatefamily.com - is expected to have of the applicable legislation and regulations, the AP takes the position that the starting point is that market parties have their own responsibility to comply with the law.37 If doubt had arisen about the scope of the prohibition, then, also according to established case law, a professional and multinational operating market party such as Locatefamily.com may be expected to inform itself, or have others inform themselves, about the restrictions to which its behaviour is subject, so that it could have adjusted its behaviour to the scope of that prohibition from the outset.38

In light of the above, the AP therefore considers the violation culpable.

4.3.3 Other circumstances and proportionality

The AP also sees no reason to increase or decrease the basic amount of the fine of €525,000 on the basis of the other circumstances listed in Article 7 of the 2019 Penalty Policy Rules, insofar as applicable in the case at hand.

The application of the policy for determining the amount of the fine does not lead to a disproportionate outcome in view of the circumstances of the specific case.

4.3.4 Conclusion

In view of all the circumstances of this case, including the nature, duration and seriousness of the infringement, the AP considers a fine of €525,000 appropriate and necessary.

5. Order under penalty

5.1 Charge

Since the infringement is continuous, it should be ended as soon as possible. For this reason, in addition to the above-mentioned fine, the AP imposes an order subject to periodic penalty payments pursuant to Article 58(2) opening words and under (d) of the AVG, Article 16(1) of the UAVG and Article 5:32(1) of the Awb.
This means that Locatefamily.com still fulfils the obligation as stated in article 27, first paragraph of the AVG and appoints a representative in the EU in writing.

5.2 Period of grace and amount of the periodic penalty payment
The AP attaches a period of grace of twelve weeks to the order for periodic penalty payments. This period offers Locatefamily.com, in the opinion of the AP, sufficient opportunity to end the violation.

Article 5:32b, third paragraph, of the Awb prescribes that the amount of the penalty is in reasonable proportion to the seriousness of the interest violated and to the intended effect of the penalty. With respect to the latter it is important that a penalty payment has to give such an incentive to comply with the order.

If Locatefamily.com does not end the observed infringement within twelve weeks, it will forfeit a penalty payment for every fortnight that the order is not (entirely) met. The AP fixes the amount of this penalty for every fortnight after expiry of the period of grace at an amount of €20,000 (in words: twenty thousand euro), to a maximum of in total €120,000 (in words: one hundred and twenty thousand euro).

If Locatefamily.com wishes to avoid forfeiture of the penalty immediately after expiry of the period of grace, the AP advises Locatefamily.com to send evidence - which Locatefamily.com can use to prove it complies with the order under penalty - to the AP for assessment in good time and at least one week before the end of the period of grace.

6. Operative part of the order

Fine

The AP imposes an administrative penalty on Locatefamily.com, for breach of Article 27(1) of the AVG, read in conjunction with Article 3(2) of the AVG, in the period from 25 May 2018 to the present, in the amount of €525,000 (in words: five hundred twenty-five thousand euros).39

Order under penalty

Within twelve weeks of the date of this decision and with due observance of it Locatefamily.com must take measures to ensure that a written representative is appointed in the EU.

If Locatefamily.com does not, within twelve weeks after the date of this decision, implement the measures to (fully) comply with the order, Locatefamily.com shall forfeit a penalty payment of €20,000 (in words: twenty thousand Euros) for every fortnight after the expiry of the period of grace, to a maximum amount of in total €120,000 (in words: one hundred and twenty thousand Euros).

Yours sincerely,
Personal Data Authority.