On October 18 and 21, 2022, the European Data Protection Board (“EDPB“) published updated guidelines (i) on personal data breach notification under the GDPR and (ii) on identifying a controller or processor’s lead supervisory authority, respectively. Both guidelines are in draft form and are open to public consultation until the end of November.
- Guidelines on personal data breach notification (which we discussed in our previous blog post)
The EDPB changed the guidelines to clarify that controllers and processors not established in the EU that suffer a personal data breach affecting data subjects in several EU Member States have to notify all the supervisory authorities where the data subjects reside. They cannot benefit from the GDPR’s “one-stop-shop”, which allows controllers and processors established in the EU to only notify the (lead) supervisory authority of the Member State where their main establishment is located. Whether these rules can be effectively enforced, assuming they appear in the finalized guidance, is an open question and authorities may struggle to apply them in practice.
- Guidelines on identifying a controller or processor’s lead supervisory authority
The EDPB changed the guidelines to clarify that joint controllers cannot have one common main establishment. Each controller may have a main establishment and benefit from the “one-stop-shop”, but they cannot agree to have a combined main establishment and lead supervisory authority. This means, for example, that if joint controllers suffer a data breach that is notifiable under the GDPR, each controller has to notify the data breach to their respective competent supervisory authority.
The Covington Privacy and Cyber team will keep monitoring the guidance released by the EDPB and is happy to assist with any inquiries on the topic. Please contact us if you would like to respond to the public consultation, or if you would like advance on the draft guidelines.