In October 2022, the EDPB launched a public consultation on the targeted update of paragraph 73 of the 9/2022 Guidelines on personal data breach notification under the GDPR. Similar to the principles set out in the Working Party 250 Guidelines on personal data breach notification under Regulation 2016/679 (revised in 2018), the EDPB only introduced a major update to data breach notification rules applicable to non-EU companies subject to GDPR.
Data breach notification for EU companies
For a data breach to be reported by a Controller or Processor established in the EU, the EDPB did not implement any changes (compared to the previous situation).
The one-stop shop principle remains applicable. Therefore, where the data breach concerns data subjects in several member states, it should only be notified to one Data Protection Authority, known as the Lead Supervisory Authority. The Lead Supervisory Authority will be in the Member State where the Controller has its main entity.
Data breach notification for non-EU companies
Before this update, a non-EU Controller subject to the GDPR was able to notify the data breach to the Data Protection Authority of the Member State where it’s Data Protection Representative was established. This rule is no longer applicable.
Now, the notification should be made to each of the Data Protection Authorities concerned. In other words, where the data breach affects data subjects from 10 member states, the Controller will need to prepare and submit 10 different notification forms within 72h, while at the same time mitigating and investigating the incident further.
The EDPB guideline becomes applicable as of its release, even where the public consultation occurs in parallel. Thus, since last October, Controllers not established in the EU (whether they have an EU Representative or not), should report data breaches to all concerned Data Protection Authorities.
It remains to be seen in practice whether this change will be truly effective as, beyond adding administrative burden on the Data Controllers, it will also consume valuable resources at the Data Protection Authorities themselves.
Data Protection Lawyer
Chief Operating Officer