The Art. 29 Data Protection Working Party has final version dated February 6, 2018. of the “Guidelines on Personal data breach notification under Regulation 2016/679” published. The deviations from the Draft from October 3, 2017 can be seen in this comparison document: Link (PDF).
Among other things, there are new explanations regarding data protection violations that do not have a EU established responsible persons concern:
Where a controller not established in the EU is subject to Article 3(2) or Article 3(3) and experiences a breach, it is therefore still bound by the notification obligations under Articles 33 and 34. Article 27 requires a controller (and processor) to designate a representative in the EU where Article 3(2) applies. In such cases, WP29 recommends that notification should be made to the supervisory authority in the Member State where the controller’s representative in the EU is established. Similarly, where a processor is subject to Article 3(2), it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33(2).
Companies are free to determine the location of the EU representative to a certain extent according to Art. 27 para. 3 in conjunction with Art. Art. 3 (2) GDPR, companies are free to a certain extent to determine the location of the EU representative. If the approach of the Art. 29 Working Party is followed, this results in a certain freedom of design also for the addressee of infringement notifications.
Among other things, the final version contains clarifications as follows:
- Clarifications on the applicability of the provisions on data protection breaches in the case of temporary unavailability From data
- the following clarification in connection with the question at what point a violation “.became known” (Art. 33 para. 1 GDPR):
However, as indicated earlier, the GDPR requires the controller to implement all appropriate technical protection and organisational measures to establish immediately whether a breach has taken place and to promptly inform the supervisory authority and the data subjects. It also states that the fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the breach and its consequences and adverse effects for the data subject. This puts an obligation on the controller to ensure that they will be “aware” of any breaches in a timely manner so that they can take appropriate action.
- the following specification to jointly responsible:
Article 26 concerns joint controllers and specifies that joint controllers shall determine their respective responsibilities for compliance with the GDPR25. This will include determining which party will have responsibility for complying with the obligations under Articles 33 and 34. WP29 recommends that the contractual arrangements between joint controllers include provisions that determine which controller will take the lead on, or be responsible for, compliance with the GDPR’s breach notification obligations.
- the specification that Processor have to notify the data controller of data breaches without first carrying out a risk assessment; this is the task of the data controller (whereby this task, taking into account Art. 28 (3) lit. f GDPR may well be delegated to the processor).
- the specification that data protection violations in the case of cross-border processing (within the meaning of Art. 4 No. 23 GDPR(which requires at least one establishment in a Member State) must be notified to the lead authority in each case.
- a clarification on notifications to data subjects, including on the language to be used
- a clarification that tokenization is equivalent to encryption when assessing risks (this applies to electronic payment systems, for example)
- a woolly execution on the duration of data breach records retention