On 4 April 2023, the European Data Protection Board (“EDPB”) published on its website the final version following public consultation of the Guidelines 9/2022 on personal data breach notification under GDPR, adopted during its 77th Plenary meeting.
According to the EDPB, the initial version for public consultation represents “a slightly updated version” of the previous Article 29 Working Party guidance on the same (i.e., WP250rev.01), endorsed by the EDPB at its first Plenary meeting.
Since the EDPB has noticed a need to clarify the notification requirements concerning personal data breaches at non-EU establishments, a public consultation was launched in October 2022, specifically on paragraph 73 of the said guidelines.
The final version of this paragraph (as finalized following the public consultation) now reads:
“However, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. For this reason the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State. This (These) notification(s) shall be the responsibility of the controller.”