The European Data Protection Board (EDPB) has published an updated version of the Guidelines on Personal Data Breach Notifications under the General Data Protection Regulation (GDPR).

The previous Guidelines provided that “notification should be made to the supervisory authority in the Member State where the controller’s representative in the EU is established.” The revised Guidelines, however, state that “[…] the mere presence of a representative in a Member State does not trigger the one-stop-shop system. For this reason, the breach will need to be notified to every single authority for which affected subjects reside in their Member State. This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller.”


Should the EDPB finalize the above suggested procedure, it can have immense implications for companies not established in the European Union (EU) and processing the personal data of EU citizens. It is, therefore, important for companies to keep up to date with developments within privacy and data protection.

The revised Guidelines are open for public consultation until 29 November 2022.

Does your company have questions about a how this may impact your operations within the EU or does your company require the services of a representative? Contact us, the Experts in Data Privacy, at .


Guidelines 9/2022 on personal data breach notification under GDPR