Canadian organizations take note – Data Protection Authority fines foreign-based business under GDPR for not having “Article 27” representative

May 17, 2021 | David Krebs, Samantha Santos

As we have discussed in several previous articles, Canadian businesses and other organizations can be subject to the European General Data Protection Regulation (“GDPR”) for a number of reasons and in a number of different contexts, be it as a “data processor” (i.e. the service provider to the data controller), as “data controller” (the organization deemed in control of the personal data at issue) or as “joint controller” with another organization, irrespective of whether the Canadian concern has a physical presence in the EU. The requirement to have an “Article 27” representative has existed since the inception of the GDPR but it has been an elusive and quite enigmatic requirement. Not to be confused with the concept of a “Data Protection Officer”, an “Article 27 representative” should serve as a contact and gatekeeper for matters pertaining to the processing of EU personal data. This requirement had not at first been enforced but this appears to be changing with a company facing a considerable fine of €525,000.00 (approximately $900,000CDN) for failing to have a representative established.

Dutch Regulator Fines €525,000

On May 12, 2021, the Autoriteit Persoonsgegevens, Dutch Data Protection Authority (“DPA”), released its decision to impose a fine of €525,000 against, a platform that allows people to search for the contact information of family members or other people that they would like to connect with. The DPA found in breach of Article 27 of the GDPR which requires businesses without an establishment in a Member State of the European Union (the “EU”) but who are subject to the GDPR by virtue of Art. 3.2(a) or 3.2(b) to designate a “representative” in the EU.

In addition to the fine, the DPA mandated that designate a representative in the EU by March 18, 2021. If it was unable to do so, was required to pay €20,000 for each two (2) week period that it does not have a representative, up to a maximum fine of up to €120,000.

The DPA reported that their decision came following the receipt of multiple complaints regarding and an international investigation in cooperation with nine other European privacy supervisory authorities and the Office of the Privacy Commissioner of Canada.

The DPA expressed concern regarding’s practice of publishing full addresses and phone numbers of individuals who most often are reported to be unaware of how their details came to appear on the site. With the contact information of approximately 700,000 Dutch people on the site, DPA deputy chair Monique Verdier mentioned that:

 “for a website to publish your phone number and address without your knowledge is unacceptable. You can certainly share this information if you want to, but this should be your choice to make. With, many people aren’t given that choice. And if your address and phone number do end up on this site, there must be an easy way to have that information removed. That’s not possible here, partly because does not have a representative in the EU.

Pursuant to Article 27, a representative is a natural or a legal person based in one of the EU member states who acts as a gatekeeper or local representative for an organization in the EU that serves as a record keeper and contact point for all issues or questions related to an organization’s processing of personal data under the GDPR. Companies may claim an exemption from Article 27 if their processing is “occasional” and “does not include, on a large scale, processing of special categories of data” (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation) and is unlikely to result in a risk to individual’s privacy rights.


The Dutch DPA’s decision brings about practical compliance implications for Canadian business particularly as the GDPR applies to many Canadian businesses who do business internationally. It is recommended for all businesses that consider themselves subject to GDPR but do not have an establishment in the EU, that an analysis is conducted of whether or not this Article 27 Representative obligation applies.

Miller Thomson’s privacy and cybersecurity team is ready to assist in these and other privacy and data security matters, and we will continue to monitor GDPR enforcement impacting Canadian businesses.


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.