LocateFamily – Violation Found (Latvia, 2023)

The controller managed a website called “Locate Family” which collected and published information about population in several countries. This information included address, phone number, name and surname of data subjects. The website enabled users to find relatives and friends in other countries. The Latvian DPA started an ex officio investigation. The controller claimed that the GDPR was not applicable to them, as the controller had no establishment within the EU. Moreover, the controller argued that data were collected prior to the the GDPR and by public available sources, where data were originally uploaded with the consent of the data subjects. The Latvian DPA disregarded the argument that the GDPR did not apply to the controller. As a matter of fact, the GDPR applies also to controllers that do not have an establishment within the EU, when their processing activities relate to the offering of goods and services to data subjects within the Union, regardless of whether the latter are asked to pay a fee, according to Article 3(2)(a) GDPR. The DPA also noticed then that the controller did not appoint any representative within the Union, as prescribed by Article 27(1) GDPR. The argument that data were collected before the GDPR were also discarded, as no provision in the text of the Regulation exempts such a category of data from the scope of the law. Finally, the DPA assessed whether the controller had a valid legal basis for the processing. The DPA found that consent was not valid, as it was originally given in the context of purposes other than the one at issue. Article 6(1)(a) GDPR also specifies that consent must be given for “one or more specific purposes” to be valid. The processing by the controller thus constituted a violation of Article 5(1)(b) GDPR, to the extent that it infringed the principle of purpose limitation. The fact that the information was publicly available did not authorise the controller to use it for its own processing activities. In ligh