Insights European Data Protection Board publishes updated Guidelines on Personal Data Breach Notification under the GDPR

On 3 October 2017, the Article 29 Working Party (WP29) adopted Guidelines on Personal Data Breach Notification under the GDPR, which were endorsed by the EDPB.

Following a targeted consultation published in October 2022, the EDPB has now published an updated version of the Guidelines that clarifies the notification requirements for personal data breaches at non-EU establishments. Accordingly, paragraph 73 in Section II.C.2 of the Guidelines has been revised and updated, while the rest of the document remains unchanged, except for editorial changes.

The EDPB says that any reference to the WP29 Guidelines should now be interpreted as a reference to these updated EDPB Guidelines 9/2022.

Section II.C.2 of the Guidelines concerns breaches at non-EU establishments.

The Guidelines explain that Article 3(3) of the GDPR states: “This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law”.

Paragraph 72 of the Guidelines explains that where a controller not established in the EU is subject to Article 3(2) or Article 3(3) and experiences a breach, it is therefore still bound by the notification obligations under Articles 33 and 34. Article 27 requires a controller (and a processor) to designate a representative in the EU where Article 3(2) GDPR applies.

However, updated paragraph 73 now states, the mere presence of a representative in a Member State does not trigger the “one-stop-shop” system. Therefore, the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State. In line with Article 27(5), this is the responsibility of the data controller because the EDPB does not consider the function of a representative in the Union as compatible with the role of an external data protection officer. A representative can, however, be involved in the notification process if this has been explicitly stipulated in the written mandate. To access the updated Guidelines, click here.