Beannachtaí ó Bhaile Átha Cliath — Greetings from an unusually hot Dublin! “Tá an ghrian ag scoilteadh na gcloch,” as we say!

It’s not only the weather that is heating up here. Ireland appears to be the hotspot for international organizations looking for an Article 27 EU GDPR representative. As we know, the GDPR requires organizations not based in the EU but that process personal data relating to people in the EU, to appoint a representative in certain situations. This includes many multinationals based outside the EU that serve European customers. 

This issue has become quite the hot topic throughout Europe following a 525,000 euro fine imposed on the website “Locatefamily.com” by the Dutch DPA because it failed to comply with Article 27.

Locatefamily.com, according to their website, helps people “find family, long lost friends, old flames (and) neighbors, for FREE” and to do so, publishes people’s addresses, phone numbers and other personal details, in some cases without their knowledge. Complaints were made because Locatefamily.com did not have an EU representative, and data subjects in the EU had no easily accessible point of contact. They could not, as a result, effectively exercise their data protection rights.

According to the Dutch DPA’s news release, data subjects were unaware of how their details appeared on the site, as they did not provide the details themselves. Dutch DPA Deputy Chair, Monique Verdier, said, “For a website to publish your phone number and address without your knowledge is unacceptable (and that) private information must remain private.” While acknowledging that people can share this type of information if they wish, Verdier believes “this should be your choice to make.” Though the 525,000 euro fine is related to various compliance failures under the GDPR, the lack of an EU representative has received much attention.

It seems that many international organizations that do not have a presence in the EU but fall under the scope of Article 3(2) of GDPR have failed to designate an EU representative. This begs the question — do organizations not understand (or are unaware of) the obligation or have they decided to take the risk of not complying with Article 27, as there had been no enforcement regarding the obligation? The Dutch DPA’s decision to fine Locatefamily.com is a salutary reminder organizations must act.

Following the Locatefamily.com decision, here in Ireland we have seen a large increase in requests from all over the world to provide Article 27 representative services. Given that the U.K. is now no longer in the EU due to Brexit, the Article 27 EU representative requirement extends to U.K. businesses offering goods and services to people in the EU and vice versa. European organizations will need to consider whether they need to appoint a U.K. representative.

Of course, finding a suitable service provider is another issue. Some organizations seeking to base their EU representative in Ireland have considered that we are a (predominantly) English-speaking country, and we provide a home for many global tech companies, meaning that this is a country with a strong skills base of natural English speakers. For those based in common law jurisdictions such as Canada, Australia and the U.S., we are also a common law jurisdiction, so there are similarities between the legal processes in each of these countries.  

From what we see in practice, and perhaps due to the media attention given to the fine imposed on Locatefamily.com, organizations are taking action and appointing representatives here. So it appears that whatever the weather, Ireland is becoming the hotspot for Article 27 EU representative services.