On April 4th, 2023, the European Data Protection Board (‘EDPB’), which is composed of representatives of the EU national supervisory authorities and the European Data Protection Supervisor (‘EDPS’), published an updated version of the Working Party 29 Guidelines on personal data breach notification under the EU General Data Protection Regulation (‘GDPR’). The EDPB had initially endorsed the Working Party 29 Guidelines – without amendments – when the GDPR became applicable in May 2018. However, the EDPB recently considered that there was a need to clarify the GDPR’s breach notification requirements, in particular as regards personal data breaches suffered by controllers that do not have an establishment in the EU. The EDPB has therefore revised and updated the relevant section of the Guidelines, while the rest was left unaltered (save for editorial changes).
What has changed?
According to Article 3(2) GDPR, the data processing activities of a controller without a presence in the EU can be subject to the GDPR if the controller a) offers goods or services to individuals in the EU, or b) monitors their behavior (provided that behavior takes place in the EU). Controllers outside the EU that meet these criteria will be expected to comply with all controller-related obligations in the GDPR, including requirements on data security and the notification of personal data breaches. Unless exemptions apply, these controllers will also have to designate a representative for GDPR purposes, who must be established in a relevant EU Member State.
The initial Guidelines suggested that if a non-EU controller had designated a representative in the EU and suffered a personal data breach, it was sufficient to notify the supervisory authority in the EU Member State where the controller’s representative in the EU was established. It was on that basis that many non-EU controllers took the position that they could benefit from a “one-stop-shop” for breach notification purposes.
In its updated version of the Guidelines, the EDPB has now clarified that the mere presence of a representative in an EU Member State does not trigger the one-stop-shop system for non-EU controllers. Personal data breaches will therefore need to be notified to every supervisory authority for which affected individuals reside in their EU Member State. For example, if a controller outside of the EU sells its products online to consumers throughout the EU and a personal data breach occurs (affecting those consumers), the controller may have to submit up to twenty-seven separate breach notifications.
Although this approach seems needlessly bureaucratic and is likely to increase compliance burdens, it is consistent with the EDPB’s other guidance, in particular Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority (adopted on October 10th, 2022). Guidelines 8/2022 confirm that the GDPR’s cooperation and consistency mechanisms only apply to controllers with an establishment within the EU. If a controller has no EU establishment, the one-stop-shop principle does not apply, and the controller must “deal” with local supervisory authorities in every EU Member State where it is active, possibly through its representative for EU GDPR purposes.
Non-EU controllers with data processing activities that are subject to the GDPR should carefully consider that, if they are faced with a personal data breach, multiple supervisory authorities in the EU may need to be notified within the narrow timeframe imposed by the GDPR. Non-EU controllers that have designated a representative in the EU be may able to involve their EU representative with a view to streamlining the notification process, if this has been explicitly addressed in the EU representative agreement.