The EDPB recently published updated Guidelines 9/2022 (“Guidelines”) on personal data breach notification under GDPR, following a targeted public consultation which concerned data breach notification for controllers not established in the EU/EEA. The updated Guidelines were adopted on 28 March 2023 and can be found here.
The key update to be aware of concerns paragraph 73 of the Guidelines, which relates to the notification requirements for personal data breaches at non-EU establishments. In particular, the updated paragraph 73 now clarifies that the presence of a representative in an EU Member State under Article 27 GDPR does not trigger the application of the one-stop-shop system for non-EU controllers. Aside from this change, there are no other substantive updates to the Guidelines. The amended paragraph 73 states:
“However, the mere presence of a representative in a Member State does not trigger the one-stop- shop system. For this reason the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State. This (These) notification(s) shall be the responsibility of the controller.”
This means that, for non-EU controllers with a representative in the EU, the presence of that representative in an EU Member State will not enable the non-EU controller to take advantage of the one-stop-shop. Therefore, for breaches impacting multiple EU Member States, a non-EU controller will need to notify the breach to the data protection authorities (“DPAs”) in all EU Member States in which affected data subjects reside. While this will not be a particularly welcome clarification for non-EU controllers, it is not an especially surprising development, and essentially confirms the position as we already understood it. Nevertheless, non-EU controllers should still review their current incident response procedures, and factor this point into those procedures if they have not done so already.