New Guidelines on Personal Data Breach Notification

No one-stop store for non-EU controllers with representatives in the EU

The European Data Protection Board (EDPB) recently published new guidelines on personal data breach notification under the General Data Protection Regulation (GDPR) for public consultation. This is a revision of the previously published guidelines of the Article 29 Working Party, which the EDPB had adapted (WP250rev.01). The guidelines include guidance on the obligations arising from Articles 33 and 34 of the GDPR to notify personal data breaches to public authorities and to communicate them to the data subjects.

The new guidelines essentially include a change to the effect that for controllers not established in the EU to which the GDPR applies, the mere presence of a representative in the EU within the meaning of Article 27 of the GDPR does not trigger the benefits of the so-called one-stop store principle. As a result, such non-EU based controllers with representatives in the EU, must report notifiable data breaches affecting data subjects in multiple member states to all competent data protection supervisory authorities. In such cases, the data breaches must thus be notified to authorities in multiple member states.

The new guidelines state in this regard in para. 73:

"However, the mere presence of a representative in a Member State does not trigger the one-stop- store system. For this reason, the breach will need to be notified to every single authority for which affected data subjects reside in their Member State. This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller."

It should be emphasized that this is a version for public consultation. It is possible that some changes will be made to the guidelines based on the feedback received during the consultation process.

At SKW Schwarz, we regularly advise on data protection incidents and, of course, also determine for our clients to which authorities reportable data breaches are to be reported.