EDPB Guidelines Update for Non-EU Companies

On October 10, 2022 the European Data Protection Board (EDPB) issued the updated Guidelines 9/2022 on personal data breach notification under GDPR.

According to the document, the EDPB noticed that there was a need to clarify the notification requirements concerning the personal data breaches at non-EU establishments. The paragraph concerning this matter has been revised and updated, while the rest of the document was left unchanged, except for editorial changes. The revision concerns, more specifically, paragraph 73 in Section II.C.2 of this document. 


Here is the broader context extracted from the Guidelines:

‘This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

72. Where a controller not established in the EU is subject to Article 3(2) or Article 3(3) GDPR and experiences a breach, it is therefore still bound by the notification obligations under Articles 33 and 34 GDPR. Article 27 GDPR requires a controller (and a processor) to designate a representative in the EU where Article 3(2) GDPR applies.

73. [CTA Focus comment: Previously the Guidelines required that notification should be made to the supervisory authority in the Member State where the controller’s representative in the EU is established.] However, the mere presence of a representative in a Member State does not trigger the one-stop-shop system [CTA Focus comment: See WP29 Guidelines for identifying a controller or processor’s lead supervisory authority, available at http://ec.europa.eu/newsroom/document.cfm?doc_id=44102).] For this reason, the breach will need to be notified to every single authority for which affected data subjects reside in their Member State. This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller.

74. Similarly, where a processor is subject to Article 3(2) GDPR, it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33(2) GDPR.’

The above update provoked quite contradictory reaction of data protection professionals – many experts claim the updated Guidline adds to administrative burden and significantly complicates the life of controllers.

Worth to mention, the Guidline is open for public consultation until November 29, 2022.

Related Links:

http://ec.europa.eu/newsroom/document.cfm?doc_id=44102

https://edpb.europa.eu/system/files/2022-10/edpb_guidelines_202209_personal_data_breach_notification_targetedupdate_en.pdf

Leave a Reply

Your email address will not be publishedRequired fields are marked *