Recently, the European Data Protection Board (“EDPB”) has updated the Guidelines on personal data breach notification under the GDPR. This update includes the targeted public consultation on the subject of data breach notification for controllers not established in the EEA. 

The EDPB noticed that there was a need to clarify the notification requirements concerning the personal data breaches at non-EU establishments. The paragraph concerning this matter has been revised and updated, while the rest of the document was left unchanged, except for editorial changes.  

Where a controller not established in the EU is subject to the GDPR (article 3(2)l; 3(3)), and
experiences a data breach, it is therefore still bound by the notification obligations under the GDPR (article 33; 34).

Although controllers that are not established in the European Economic Area (“EEA”), and are subject to the GDPR, require a controller (and a processor) to designate a data protection representative (“DPR”) in the EEA, it has become clear from these guidelines that the mere presence of a DPR in a Member State does not trigger the one-stop-shop mechanism. For this reason a data breach will need to be notified by the controller to every data protection authority (“DPA”) for which affected individuals reside in their EEA Member State. This means that when a controller is not established in the EEA and experiences a data breach in multiple Member States, the controller is obliged to notify every DPA in each Member State where individuals are affected by the data breach. 

Similarly, where a processor is subject to the GDPR, it will be bound by the obligations on
processors, of particular relevance here, the duty to notify a data breach to the controller under the GDPR (article 33(2)).  

Although this means that more effort is required from controllers under the GDPR that are not established in the EEA, this update provides more clarity about how to act in a GDPR compliant manner in case of a cross-border data breach.  

Does this affect your organization’s data breach policy and procedure or do you want to learn more about data breaches under the GDPR? Contact us DPO Consultancy, experts in data privacy, via: