Updated EDPB guidance on data breach notification: What companies urgently need to consider now

We already reported on the new data breach notification guidelines of the European Data Protection Board (EDPB) in November 2022 (see our website article). Now that the public consultation process has been carried out, the EDPB has published its updated data breach notification guidelines on 4 April 2023.

In this article you can find out what the updated guidelines mean for companies in concrete terms and what companies should imperatively take into account from now on.

Background
Companies that are not established in the EU, but nevertheless fall within the scope of the GDPR according to Article 3 GDPR, previously had to report any data protection breaches in the member state in which the representative of the responsible company in the EU had its establishment ("one-stop-shop" principle).

New regulation
In its new guidelines, the EDPB has now clarified that the mere presence of a representative in the EU does not trigger the "one-stop-shop" principle. Therefore, from now on, affected companies must report data protection violations that affect individuals in several member states to all supervisory authorities of the respective member states.

Recommendations for action for companies
As data breaches must be reported without delay and, if possible, within 72 hours of the breach becoming known, this can pose major challenges for companies. The new guidelines increase this pressure even more, as the notification of data protection breaches must be made to all competent supervisory authorities in the respective member states and this can lead to an enormous amount of work. In order to be able to meet the data protection requirements in the company, it is all the more important to implement appropriate guidelines and processes in the company in good time, which set out a uniform and regulated procedure for data protection breaches and meet the requirements of the European supervisory authorities.

Organised contingency planning and practical data breach management form the foundation for effective prevention by companies in order to avoid regulatory measures, fines and, if necessary, claims for damages by those affected. The careful implementation of the reporting and notification obligations is highly relevant in terms of data protection law. Violations can lead to fines for companies, among other things. Against this background, companies should urgently review their internal processes and policies regarding the handling of data protection incidents and subject them to a careful audit in order to ensure proper and timely notification of data protection breaches.

If you have any questions in this regard or would like assistance in implementing or revising your existing data breach management, please feel free to contact us. We regularly advise companies of all sizes on cross-border data protection incidents and are happy to help.