On 28 March 2023, the European Data Protection Board ("EDPB") adopted updated guidelines on the obligation for non-EU established controllers to notify supervisory authorities ("SA") following a personal data breach. Article 4(12) of the General Data Protection Regulation ("GDPR") stipulates that a personal data breach occurs when there is an "accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".
According to Article 33(1) GDPR, data controllers must notify the SA of a personal data breach without undue delay, and where feasible, not later than 72 hours after having become aware of it. In addition to controllers being compelled to alert their national SA, in the event of a cross-border breach, this must also be brought to the attention of the SA of every EU member state where affected data subjects reside.
The "One-stop shop" ("OSS") mechanism
In an attempt to deal with the administrative burden that controllers encounter when they have multiple EU members states' SA's to notify, the EDPB introduced the OSS mechanism, the guidelines for which were initially provided by the Article 29 Working Party ("WP29") (the EDPB's predecessor) on 13 December 2016.
The OSS mechanism permits controllers to notify just the lead SA of the member state where their main establishment and representative is located. This means that the responsibility of enforcement essentially lies with the lead SA, who is then encumbered with the duty of escalating the breach and coordinating with other concerned SA's.
Updated guidelines for non-EU establishments
On 10 October 2022, the EDPB launched a consultation to discuss the applicability of the OSS mechanism and how the notification obligation should be clarified within the guidelines for non-EU based establishments who, in line with Article 27(1) GDPR, have a representative in the EU.
Following the consultation, the EDPB have now addressed the notification obligation for non-EU based establishments in paragraph 70-74 of the updated guidelines. Paragraph 73 confirms that "the mere presence of a representative in a Member State does not trigger the one-stop shop system. For this reason, the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State". The EDPB's updated guidelines explicitly set out that the obligation to notify shall remain in the hands of the non-EU controller, which brings some much-needed clarity to the already endorsed WP29 guidelines.
The EDPB's updated guidance further specifies that, for non-established EU entities, "the function of a representative in the Union is not compatible with the role of an external DPO". In practice this means that, although a representative can be involved in the notification process when explicitly stipulated in the representative's written mandate, "the responsibility to notify remains that of the controller in line with Article 27(5)" GDPR.
Overall, the outcome of these reviewed and updated guidelines affirms the notion that, following a personal data breach, non-EU controllers who are subject to the GDPR will have to deal with all relevant SAs separately and their responsibilities cannot be entirely delegated to their national SA or representative.
Perhaps unsurprisingly, this has led to criticisms from non-EU establishments who are now left to their own devices to notify several different EU and national authority bodies within the respective timescales following a personal data breach, with very little coordination support afforded to them from the EU. This could potentially leave non-EU establishments with the burden of submitting up to 27 individual notifications when a personal data breach results in a cross-border detriment to data subjects around the EU.
Find the EDPB updated guidelines here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
