This article is more than 2 years old.

British businesses are being warned that they should urgently consider appointing an EU-based data protection representative, following a decision by the Dutch data protection authority.

Locatefamily.com, based in Canada, aims to put people in touch with long-lost family members and has millions of individuals on its database, along with their addresses and in some cases their phone numbers.

However, it was found to be processing the data of EU citizens without adhering to GDPR, after several people complained that their details had been included on the website without their consent.

The company has now been fined €525,000 for failing to appoint an EU representative — and ordered to pay an extra €20,000 for each two-week period while it fails to do so, up to a maximum of €120,000.

"Not having a representative in the EU is a violation of privacy law and the reason for the fine," the authority says.

And according to Wouter Seinen, a partner with law firm Pinsent Masons and head of its Amsterdam office, the decision could have implications for thousands of UK-based businesses.

"Due to the binary nature of the data rep requirement, it is quite easy for a regulator to establish that an organisation is in breach, whilst it is almost impossible to find an excuse for not having met this requirement," he says.

"This is why this topic should be higher on the risk radar of non-European businesses — in particular operators of apps and websites."

Meanwhile, points out law firm Shoosmiths, non-UK businesses that process the data of UK-based individuals will need to appoint a UK data protection representative.

"Although the UK has left the EU, including the transition period, its data protection laws closely mirror those of the GDPR," warns the firm.

"It’s likely that this Dutch decision could also significantly influence how the UK data protection authority, the ICO, approaches a similar situation in the UK, if, for example, a business based outside of the UK were to fail to appoint a UK representative."

The warnings come as it's revealed that 661 GDPR fines have been issued by European data protection authorities since GDPR came into force three years ago, totalling nearly €293 million.

Research by campaign group Privacy Affairs shows that Spain issued the largest number of GDPR fines by far — 222 in total. Italy issued the second-largest number but was a long way behind, handing out just 73 fines.

The largest fine - €50 million - was issued by France against Google earlier this year, followed by a fine in Germany of €32 million.

Follow me on Twitter
Emma Woollacott

I've been writing about technology for most of my adult life, focusing mainly on legal and regulatory issues. I write for a wide range of publications: credits include the Times, Daily Telegraph and Financial Times newspapers, as well as BBC radio and numerous technology titles. Here, I'll be covering the ways content is controlled on the internet, from censorship to online piracy and copyright. You can follow my posts by clicking the ' Follow' button under my name.

Read MoreRead Less
Editorial StandardsCorrectionsReprints & Permissions