European Data Protection Board: New guidelines on personal data breach notification

The European Data Protection Board (EDPB) recently published new guidelines on personal data breach notification under the General Data Protection Regulation (GDPR) for public consultation. Companies should take these guidelines as an opportunity to review internal processes and policies for managing data protection incidents to determine whether they take into account the requirements of the European supervisory authorities.

Background: Strict personal data breach notification obligations under the GDPR and established guidelines issued by the Article 29 Working Party

The GDPR requires companies to notify the competent supervisory authority of any personal data breaches without undue delay – if possible, within 72 hours. Such notification is only not compulsory if the personal data breach is unlikely to result in a risk to data subjects. If the risks to data subjects are likely to be high, companies must also communicate the personal data breach to the data subjects. Regardless of these risks and the resulting notification obligations, companies must document all personal data breaches internally. Companies that do not comply with these obligations can be subject to official measures, fines and possibly even claims for damages asserted by data subjects.

Even before the GDPR came into force, the group then known as the Article 29 Working Party adopted guidelines on personal data breach notification on 3 October 2017. As the successor to the Article 29 Working Party, the EDPB formally endorsed these guidelines on 25 May 2018.

Only some clarifications on notification obligations of companies not established in the EU

Apart from editorial changes, the EDPB’s new guidelines on personal data breach notification largely repeat the content of the established Article 29 Working Party’s guidelines without revision. Only in one section did the EDPB see a need for minor adjustments to clarify notification obligations of companies not established in the EU.

Companies that are not established in the EU but are subject to the applicability of the GDPR usually must appoint a representative in the EU. However, according to the EDPB, the mere presence of such a representative in the EU does not trigger the “one-stop-shop” principle. This principle gives companies established in several EU Member States the option, if necessary, to notify a single “lead supervisory authority” competent for them in the event of a personal data breach. If a personal data breach affects individuals in several Member States, companies not established in the EU have to contact the competent supervisory authorities of each of these Member States. Where individuals in Germany are affected by a personal data breach, companies not established in the EU must notify the supervisory authorities of each German federal state. In practice, this can lead to enormous expenses for companies not established in the EU for notifying several different supervisory authorities of a personal data breach.

Unfortunately, some other questions regarding notification of personal data breaches that had not been conclusively clarified remain unclear in the new EDPB guidelines. One such question that is often particularly relevant in practice is whether a company is released from the obligation to notify the competent supervisory authority if the risks involved are merely minor. Such release is advocated, for example, by the Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz) in its brief paper on data protection risk.

Public consultation and companies’ possible need to revise processes and internal guidelines for managing data protection incidents

The EDPB will continue to welcome feedback regarding its new guidelines in the public consultation process until 29 November 2022, explicitly pointing out that the consultation does not cover all of the guidelines, but rather only the section on notification obligations of companies not established in the EU, the content of which has been updated. It cannot be ruled out that the EDPB will make changes to its guidelines based on the feedback in the consultation process. However, these changes are usually only of an editorial nature. Substantial changes to the content are not to be expected.

Companies not established in the EU that fall within the scope of the GDPR should therefore begin now to take the EDPB’s new clarifications into account when notifying authorities of personal data breaches, especially since the published version of the guidelines reflects the common line of the European supervisory authorities. We also recommend that companies established in the EU take the guidelines now adopted by the EDPB as an opportunity to review processes and internal policies for managing data protection incidents to determine whether they take into account the requirements of the European supervisory authorities.

Practical emergency planning and resilient data breach management form the backbone of an effective preventive policy to avoid data protection litigation regarding official measures, fines and claims for damages by data subjects due to personal data breaches. Effective and regularly tested processes for managing data protection incidents are essential for rapid management and timely notification of personal data breaches. Internal data breach management policies are an essential component of robust data protection governance documentation, not least due to data protection accountability.