Updated Guidelines on Personal Data Breach Notification under GDPR
After a targeted public consultation, the European Data Protection Board (‘EDPB’) has published Guidelines 9/2022 on personal data breach notification under the General Data Protection Regulation (‘GDPR’) Version 2.0.
While GDPR mainly regulates how organizations should protect personal data, it also stipulates what an organization should do after it has undergone a security breach that affects personal data.
When it comes to data breach, notifying the regulator and affected individuals in accordance with GDPR is a key part of every organisation’s breach response plan. Correct handling of a breach should lead to avoiding the application of fines, as imposed by the European legislation in force.
According to GDPR legislation, one of the essential aspects is regulated by Article 33 according to which an organization must report a security breach that affects personal data to a Data Protection Authority (‘DPA’) within 72 hours of becoming aware of the breach.
The Guidelines already contained comprehensive explanations related to requirements of the breach notification which had to be submitted by companies in breach, but, however, EDBP considered necessary to complement it, for controllers’ support, with further clarifications of the notification requirements concerning the personal data breaches of non-EU establishments.
In this sense, provisions concerning this matter have been revised and updated, by specifically stating, on the one hand, that “the mere presence of a representative in a Member State does not trigger the one-stop shop system” and, on the other hand, that “the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State”.
These provisions focus on controllers which are not established in the EU, but are subject to GDPR and, thus, are bound by the notification obligation if a breach takes place. For such subjects, notwithstanding that they still have the obligation to designate a representative in the EU, they still do not benefit from the one-stop-shop system which implies that the notifying party only has to send its notification to one authority.
Contrary, such controllers which are not established in the EU and are bound by GDPR legislation are required to notify all authorities with competences in this respect of a breach potentially affecting data subjects within their country.
The amendments proposed by the new Guidelines were harshly criticized during the consultation process by stakeholders. In this respect, it was specified that such changes would impose supplementary costs to companies established outside of the EU that, in addition, would have to set up organizational and technical solutions to fulfil all breach notification requirements. Some of the amendments would also be likely to impose logistically hard-to-reach obligations which could determine even notifying 30 different supervisory institutions in different languages, within the imposed time limit of 72 hours.