GDPR Fines: Dutch Regulator Fines Website for Lack of EU Representative; Norway Fines American AdTech Company for Unlawful Processing

The Dutch Data Protection Authority has imposed a first-of-its-kind fine for a violation of the GDPR’s requirement to appoint a GDPR representative in the EU, which applies to organizations established outside the EU. The €525,000 fine was imposed on the operator of the website locatefamily.com which publishes the contact information of data subjects, often without their knowledge, to allow others to locate and contact them. The Dutch Data Protection Authority indicated that it had received complaints from Dutch data subjects who wanted to de-list themselves from the website but were not able to obtain an effective response from the website.

According to the Dutch Data Protection Authority, the website publishes the personal data of approximately 700,000 individuals from the Netherlands, and their inability to de-list themselves was largely due to the absence of an EU representative for the website.

The Norwegian Data Protection Authority has announced its intention to impose a hefty €2.5 million fine on California-based Ad-Tech company Disqus for collecting and processing personal data which monitors the online activities of Norwegians through the use of cookies, without first obtaining their express, specific and granular consent. The Norwegian Data Protection Authority found that in the absence of consent, there is no valid legal basis for Disqus to collect and process this data, dismissing Disqus’s arguments that it can rely on its legitimate interests to legitimize its collection and processing of this data.

The Norwegian Data Protection Authority concluded that Disqus acted negligently in not activating its notice and consent tool for Norwegian data subjects as it misidentified Norway as a country not subject to the GDPR because it is not a member state of the EU. While Norway is not an EU member state, it is a member of the European Economic Area, which includes additional European countries that have also adopted the GDPR.

The Norwegian Data Protection Authority justified the hefty fine due to the duration of the violation (approximately 18 months), the estimated volume of impacted data subjects (hundreds of thousands to millions), the inability to contain and mitigate the violation because the personal data collected had already been disseminated throughout the AdTech industry, the commercial and for-profit nature of the violation, the inclusion of minors in the group of impacted data subjects, and the sensitive nature of the personal data collected, which could be indicative of sensitive categories of data such as political opinions.

CLICK HERE to read the Dutch Data Protection Authority’s press release on the fine against Locatefamily.com.

CLICK HERE to read the Norwegian Data Protection Authority’s Advance Notification of Administrative Fine against Disqus, Inc.