European Data Protection Board updates guidance on data breach notifications
The question
How does the recent update to the European Data Protection Board (EDPB) guidance impact data breach notifications for businesses?
The key takeaway
If a business that is not established in the EU is required to make a personal data breach notification under the EU GDPR, it is now required to notify the supervisory authority in every Member State in which there is a data subject that has been affected by the breach.
The background
EDPB Guidelines 9/2022 (the Guidelines) were originally adopted in October 2022 and set out guidance regarding a controller’s obligations in the event of a personal data breach. When a breach occurs that is likely to result in a risk to the rights and freedoms of data subjects, Articles 33 and 34 of the GDPR require the controller to notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Previously, a controller not based in the EU who suffers such a breach would typically notify the supervisory authority in the Member State in which its EU representative is located.
The development
Following a consultation in October 2022, paragraph 73 of the Guidelines was amended and the updated Guidelines were adopted on 28 March 2023.
The amended paragraph 73 states that the mere presence of an EU representative (of a controller not based in the EU) does not trigger the one-stop shop system. Instead, in the event of a breach, the controller must notify every supervisory authority for which affected data subjects reside in their Member State.
Why is this important?
The update to the Guidelines places significant new obligations on data controllers in the event of a breach. It is particularly onerous given the timescales for notification set out in the EU GDPR and that failure to comply with the GDPR (as interpreted according to the Guidelines) may result in penalties such as fines.
Any practical tips?
Businesses should consider and identify the strategy they wish to adopt going forwards in light of the obligations of paragraph 73. Some businesses may take the view that, in the event of a breach, the safest approach is to notify all supervisory authorities in the Member States in which the business operates. Given the cost implications, others may look to review their internal processes so that, in the event of a breach, they can identify where the affected data subjects are located and thereby focus their efforts on notification in those Member States.
Summer 2023
Stay connected and subscribe to our latest insights and views
Subscribe Here