New EDPB Guidelines on personal data breach notification under GDPR
On 28 March 2023, the European Data Protection Board (“EDPB”) published the newest Guidelines on personal data breach notification under General Data Protection Regulation (“GDPR”) version 2.0., following the targeted public consultation about data breach notification for controllers not established in the EEA.
Headnote: The Guidelines emphasize that the EDPB noticed that there was a need to clarify the notification requirements concerning personal data breaches at non-EU establishments, therefore, following a public consultation, the provisions concerning this matter have been revised and updated.
Practically speaking, the update concerns paragraph 73 of the Guidelines, which currently states that:
“73. However, the mere presence of a representative in a Member State does not trigger the one-stopshop system. For this reason, the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State. This (These) notification(s) shall be the responsibility of the controller” – where the last part, regarding the notification responsibility, comes in direct opposition to the previous version.
To summarize the details contained by the Guidelines, we mention that it addresses the basic security considerations, it states the definition of personal data breach, the types of personal data breach and its possible consequences. Accordingly, the Guidelines contain data about next steps in case of the breach takes place, therefore, we talk about the notification to the supervisory authority, time of the notification, notification recipients and type of information; it also contains details about cross-border breaches and breaches at non-EU establishments and even when the notification is not required.
Regarding notifying the individuals whose personal data have been affected by the data breach, the Guidelines also talk about the application of article 34 of the GDPR, namely about what data is to be provided, how to contact the individuals, under what circumstances communication is not required.
Also, related to the above, the Guidelines provide knowledge on how to assess the risk and therefore which are the following steps when a (major) risk is identified. Extensively, the provisions of the GDPR suggest that generally when assessing risk, consideration should be given to both the likelihood and severity of the risk to the rights and freedoms of data subjects; stating further that risk should be assessed objectively, considering the specific circumstances of the breach.
Accordingly, the EDPB therefore recommends the assessment should consider the following criteria: (i) the type of breach (the Guidelines contain an example about a confidentiality breach whereby medical information has been disclosed to unauthorized parties may have a different set of consequences for an individual to a breach where an individual’s medical details have been lost, and are no longer available), (ii) the nature, sensitivity, and volume of personal data – about this criteria the Guidelines contain also examples of data breaches when the impact of the same personal data can be different (and produce non-substantial/severe damage); (iii) Ease of identification of individuals; (iv) severity of consequences for individuals; (v) special characteristics of the individual; (vi) special characteristics of the data controller; (vii) the number of affected individuals. Finally, according to EDPB`s Guidelines, if in doubt, the controller should err on the side of caution and notify the data breach; adding that useful examples are provided by these Guidelines – Annex B – regarding different types of breaches involving risk or high risk to individuals.
Last but not least, the Guidelines provide important information on the controller`s obligation to keep the documentation of all breaches (regardless of whether it has been made a notification or not) – according to art. 33 para. (5) GDPR and about Data Protection Officer`s (“DPO”) role.
In conclusion, we find the above summary presentation useful, and it can constitute a reminder for controllers/data processors even though the only updates of the previous Guidelines concern the rules (the responsibility) for data breach notification regarding controllers or processors not established in the EU or EEA.