The European Data Protection Board changes the framework by which data breach notifications should take place under GDPR for non – EU businesses.
The European Data Protection Board (the EDPB) through the Guidelines 9/2022 on personal data breach notification under GDPR (the Guidelines) proposed certain changes to the way in which data controllers or processors that are not established in the EU notify data breaches of EU citizens, since according to the General Data Protection Regulation (the GDPR), such controllers and processors are also subject to the GDPR regime.
In principle, GDPR provides that in case of a personal data breach, the controller in question shall without undue delay, notify it to the competent supervisory authority. In relation to controllers or processors that are not established in the EU, GDPR provides that such controllers or processors must designate a representative in EU and in case of a data breach, only the supervisory authority of the EU member state of the aforementioned designated representative must have been notified by the non–EU established controllers and processors.
To elaborate with an example, prior to the Guidelines, an Indian company, which processes personal data received from several European countries with a designated representative in Cyprus in accordance with the GDPR, would have notified only the supervisory authority in Cyprus in case of a data breach.
Now, under the new Guidelines of the EDPB, a new framework for data breach notification is proposed where a controller is not established in the EU. According to the Guidelines, where a controller not established in the EU experiences a data breach, such data breach will no longer be notified solely to the supervisory authority in the member state of the designated representative but it must also be notified to every single supervisory authority of each member states for which affected data subjects reside in their member state. Having in mind the previous example, with the new regime, the same Indian company now has to notify every supervisory authority of every EU member state where the affected data subjects reside. This notification will be done in compliance with the mandate given by the controller to its designated representative and under the responsibility of the controller.
The proposed removal of the “one – stop shop” reporting mechanism not only could lead non–EU based companies to uncertainty when reporting data breaches of EU data subjects, but also it will increase the workload of such companies since they will have to notify, communicate and cooperate with multiple supervisory authorities at the same time. Moreover, international companies will need assistance to navigate through the new complex data breach notification regime.