EDPB Adopts Updated Guidelines on Personal Data Breach Notifications

On the 28th of March, the European Data Protection Board (EDPB) adopted and published the latest version of its guidelines on personal data breach notifications (Guidelines 9/2022), a long awaited and much debated topic in the world of data privacy. Since their adoption in 2017 and revision in 2018, the Guidelines have suffered no change until last year when an intended revision was made known and which caused quite the stir.  

This change refers to the way data breach notifications are made and particularly by those controllers outside the EU but who are covered by the extraterritorial scope of the GDPR. 

Under Article 3(2) the circumstances under which the law applies to controllers based outside the EU are outlined, alongside Article 27 where it is stated that these controllers must appoint a representative based in one of the Member States. In light of Article 33, personal data breaches must be notified to the competent authority, no later than 72 hours from the event. Given that there is some ambiguity about which supervisory authority(ies) should be notified by a non-EU controller, the resolution adopted was that the notification should be made to the supervisory authorities in the Member State where the representative of the controller is established within the EU. 

With the updated Guidelines, the following change is made: 

• Paragraph 72: “Where a controller not established in the EU is subject to Article 3(2) or Article 3(3) GDPR and experiences a breach, it is therefore still bound by the notification obligations under Articles 33 and 34 GDPR. Article 27 GDPR requires a controller (and a processor) to designate a representative in the EU where Article 3(2) GDPR applies.”
• Paragraph 73: “However, the mere presence of a representative in a Member State does not trigger the one-stop shop system. For this reason the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State. This (These) notification(s) shall be the responsibility of the controller.”

What this means for you, as a controller, is that if you are based within the EU, you have to notify only the leading supervisory authority in the event of a personal data breach. However, if you are located outside the EU, or one of your entities is located outside the EU, you are now required to notify all the supervisory authorities of all the Member States that the affected data subjects are citizens of. 

In both cases, no later than 72 hours from the moment when you’ve become aware of the personal data breach … 

As mentioned earlier in this article, this seems like a minor change, but in reality it comes with a significant impact. Some key points to consider are:

• Reporting a data breach within the first 72 hours is in and of itself quite a challenge if you are also involved in mitigation of the breach itself. . You are required to multitask, juggling at the same time with security assessment, patchwork following this, communication both at an internal and external level, potentially negotiating a ransom, etc. all the while conducting a business. 
• Reporting a data breach within the first 72 hours while doing all of the above, and to every supervisory authority, each one with its own data breach reporting form or steps to follow, will most likely prove to be too difficult. 

What you could do to prepare yourself is to develop a clear step-by-step breach management plan, assign a person responsible for breach management and risk assessment, and create in advance a list of all the Data Protection Authorities of countries where personal information stored by you originate from, as well as creating a list of links to the relevant breach reporting forms. Being prepared will save you valuable time and allow you to focus on the essential things during the 72 hours, to investigate and adequately assess the breach's consequences. 

It remains to be seen how this change will affect future reporting of personal data breaches. One final point of observation is that one of the footnotes of the Guidelines states that although ”the EDPB considers the function of a representative in the Union as not compatible with the role of an external data protection officer (“DPO”), therefore the responsibility to notify the supervisory authority in case of a personal data breach remains that of the controller,” it allows for a representative to be “involved in the notification process if this has been explicitly stipulated in the written mandate.” While this doesn’t remove the pressure, it does create a space wherein controllers may rely on their representatives to take an active role in personal data breach reports, as long as their contracts contain some mandate to that effect.