The European Data Protection Board (EDPB) published guidelines on personal data breach notifications under the GDPR. There was a need to provide clarity on the notification requirements relating to personal data breaches at non-EU establishments. The GDPR introduced the requirement for a personal data breach to be notified to the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority). In certain cases, there’s a requirement for controllers to communicate the breach to the people whose personal data have been affected by the breach. The current guidelines explain the mandatory breach notification and communication requirements of the GDPR and some of the steps controllers and processors can take to meet these obligations. In this post, we highlight the purpose and contents of the guidelines.
When do the guidelines come into effect?
The guidelines were adopted on 10 October 2022 and are at the public consultation stage. The EDPB welcomes comments until 29 November 2022.
We will update this post once the EDPB publishes the final guidelines.
Purpose
The purpose of the guidelines is to provide controllers and processors with information about when and how to notify individuals and relevant authorities when there are data breaches. According to the EDPB, the notification requirement has several benefits. When controllers notify the supervisory authority, they can get advice on whether they need to inform the affected individuals. The supervisory authority can also order the controller to inform those individuals about the breach. Communicating a breach to individuals allows the controller to provide information on the risks presented because of the breach. It also means that those individuals can take steps to protect themselves from potential consequences.
What do the guidelines cover?
Most of the document remains the same, except for editorial changes. The revision concerns paragraph 73 in Section II.C.2, which reads:
“… the mere presence of a representative in a Member State does not trigger the one-stop-shop system. For this reason, the breach will need to be notified to every single authority for which affected data subjects reside in their Member State. This notification shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller”.Â
This is what we think you should know:
- Notification to the supervisory authority should form a part of that incident response plan.
- A breach response plan should focus on protecting individuals and their personal data. The notification is a compliance enhancement tool.
- Failure to report a breach to either an individual or a supervisory authority may mean that under Article 83 of the GDPR a sanction may be imposed on the controller.
- Controllers and processors are encouraged to:
- plan in advance and put processes in place to detect and promptly contain a breach,
- assess the risk to individuals to determine whether it is necessary to notify the competent supervisory authority, and
- communicate the breach to the individuals concerned when necessary.
Guidelines 9/2022 on personal data breach notification under GDPR
This is the full name of the guidelines that the EDPB published.
Actions you can take
- Read the full version of the guidelines of conduct by downloading the document.
- Keep up to date with further developments in the EU by following our Insights page.
- Keep up to date with data protection decisions by joining the Michalsons data protection programme. You can also book a free programme tour with our programme manager.