The European Data Protection Board (EDPB) released on October 10, 2022, guidelines 09/2022 on the obligation to notify the supervisory authority of a data breach, submitting them to a “targeted” public consultation. These guidelines take over and replace the previous wp250 rev.01 on the same topic, issued by the Article 29 Working Party (WPArt29) and endorsed by the EDPB.
Wp250 rev.01 and guidelines 9/2022
The topic of personal data breaches and the associated obligation to notify the competent supervisory authority (in case the incident may result in risks to the rights and freedoms of the individuals involved) had already been addressed by WPArt29 with the wp250 rev.01 guidelines, later confirmed by the EDPB. This second document (Lg. 9/2022) updates and replaces wp250 rev.01, reproducing its contents in full with some changes in form and with one new addition.
GDPR applicable to non-EU data controllers
The only substantial addition to the 9/2022 guidelines compared to the previous wp250 rev.01 consists of paragraph 73, which addresses the issue of how to notify a data breach if it is attributable to a non-EU data controller that does not have establishments in the Union. This is the case of a company established outside the territory of the Union but performing personal data processing that falls under the territorial scope of the GDPR, as it relates to services or products directed to consumers located in the EU or involves monitoring the behavior of individuals in the EU.
These case histories are those under which Article 3 of the GDPR extends the scope of the regulation beyond the territorial borders of the Union, pegging its scope to the “target criterion“, i.e., the fact that the non-EU controller directs its activities to individuals who are on the territory of the Union (target)\, whatever the location where the processing of personal data takes place.
Non-EU data controller and data breach notification obligation
If the non-EU controller performs any of the activities specified in Article 3 GDPR, according to the “target criterion,” the EU regulation would apply to personal data processing related to these activities. Consequently, if a personal data breach possibly involves these same processing operations, the rules dictated by Articles 33 and 34 GDPR would apply to it. As is well known, Article 33 provides for an obligation to notify the data breach, on the part of the data controller and with respect to the supervisory authority concerned, if a risk to the rights and freedoms of the individuals involved may result from the incident.
Authority entitled to receive the notification
The supervisory authority that is entitled to receive the notification is that of the member state in which the violation has produced effects. Therefore, if the effects of the violation produce impacts only on individuals located in a single member state of the Union, the issue will not present interpretative difficulties since the notification, if due, will have to be made with respect to the supervisory authority of that member state. Different is the case where, conversely, the effects of the violation affect individuals located in more than one member state: how will the notification obligation, if any, be fulfilled?
The GDPR defines “cross-border processing” as that which, in brief,
- involve the activities of establishments of the controller or processor in more than one member state
- involve the activities of a single establishment in the Union, but substantially affect data subjects in multiple member states (Art. 4 23), GDPR)
Cross-border processing, having effects in multiple member states, affects the supervisory authorities of each of those countries. Thus, a personal data breach related to cross-border processing raises the question of who is to be notified, if notification is due.
It is the GDPR that provides the answer to the question, providing that when there is cross-border processing there is a single authority that acts as the lead authority over the other supervisory authorities concerned, i.e., those other authorities
- of the member state where the controller has an establishment or
- of the EU country where data subjects are located who are substantially affected by the data breach (Art. 4 23), GDPR).
The lead authority, again according to the GDPR, “is the supervisory authority of the principal or sole establishment of the controller,” or the controller, acting in accordance with the cooperation procedure and the one-stop-shop mechanism [also called “one-stop-shop,” Recital (127)].
It is to the lead authority that the controller of the cross-border data breach must make the notification, specifying that the same breach has also had effects in other jurisdictions.