A U.S. company published personal data of hundreds of thousands of EU citizens – without their knowledge, without a legal basis, and without the legally required point of contact within the EU. The consequence: a fine of €525,000, imposed by the Dutch Data Protection Authority. The Locatefamily.com case is a stark reminder that the GDPR is enforced rigorously, even against international platforms.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) determined that Locatefamily.com had breached one of the GDPR’s core obligations: the company had failed to designate a representative within the European Union.
Under Article 27 of the GDPR, companies based outside the EU that offer goods or services to individuals in the EU – or that process data of EU residents – are required to appoint an EU-based representative. This representative acts as a contact point for individuals wishing to exercise their data protection rights, such as requesting access to their data or having it deleted.
At Locatefamily.com, this mechanism was entirely absent. Anyone who wanted their data removed from the platform had no designated EU contact to turn to.
Locatefamily.com is an international online platform that allows users to search for contact information of private individuals – including full home addresses and phone numbers. The data covers people from around the world, including EU citizens. In the Netherlands alone, nearly 700,000 individuals were listed on the site.
Particularly concerning: those affected were never asked for their consent, and many are entirely unaware that their information appears there at all. No membership or account registration is required – the data is freely accessible to anyone. What might appear at first glance to be a harmless online directory carries serious risks: identity fraud, harassment by phone or email, or even unwanted contact at someone’s home address are all realistic scenarios.
The Dutch Data Protection Authority imposed a fine of €525,000 on the company. The case did not remain confined to the Netherlands: nine other European supervisory authorities, as well as the Canadian data protection authority, were involved – a clear demonstration that cross-border data protection violations are pursued in a coordinated manner across jurisdictions.
The Locatefamily.com case sends an unambiguous message: the GDPR applies to every company that processes data of EU residents, regardless of where that company is headquartered. Those who ignore binding legal obligations must expect substantial fines and cross-border enforcement proceedings. In Europe, data protection law has real teeth.