Insights European Data Protection Board consults on Guidelines on personal data breach notification under GDPR


The consultation concerns paragraph 73 of the Guidelines only. This paragraph covers breaches at non-EU establishments under Article 3(2) of the GDPR, the notification of such breaches where there is a designated representative, and the one-stop-shop system.

The Guidelines explain that Article 3(2) covers the processing by controllers/processors not established in the EU of the personal data of data subjects who are in the EU. It covers processing activities related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

Further, the Guidelines explain, Article 3(3) provides that the GDPR applies to the processing of personal data by a controller not established in the EU but in a place where Member State law applies by virtue of public international law.

The Guidelines also state that where a controller not established in the EU is subject to Article 3(2) or Article 3(3) and experiences a breach, it is still bound by the notification obligations under Articles 33 and 34. Article 27 requires a controller (and a processor) to designate a representative in the EU where Article 3(2) GDPR applies.

Paragraph 73 provides that “the mere presence of a representative in a Member State does not trigger the one-stop-shop system”. Therefore, paragraph 73 states, the breach will need to be notified to “every single authority for which affected data subjects reside in their Member State”. Further, such notification “shall be done in compliance with the mandate given by the controller to its representative and under the responsibility of the controller”. It is this paragraph that the EDPB is consulting on.

Comments on paragraph 73 should be sent by 29 November 2022. To access the Guidelines and for details on how to respond to the consultation, click here.