On 3 January 2022, the European Data Protection Board (“EDPB”) published on its website the final version following public consultation of the Guidelines 01/2021 on examples regarding data breach notification, adopted during the December ’21 plenary.
According to the EDPB, these Guidelines aim at complementing the previous Article 29 Working Party guidance on the same (e.g., WP213, WP250rev.01) by introducing more practice-orientated guidance and recommendations on how to handle data breaches and what factors to consider during risk assessment.
Since the current version addresses the comments received on the version for public consultation, the main amendments consist in emphasizing the processors’ responsibilities towards data breaches, detailing certain factual aspects of some of the case studies, and further clarifying the advisable measures corresponding thereto. Nonetheless, the initial recommendations on whether the competent national supervisory authority or the data subjects should be notified remained unchanged.