The European Data Protection Authority EDSA has published its “Guidelines 9/2022 on personal data breach notification under GDPR” in the version dated March 28, 2023. Version 2 published. The Version 1 dated October 10, 2022. A deltaview of the two versions is available here (PDF).
The changes in the new version – which was preceded by a public consultation – concern only one, but an important point. Unlike the first version, the EDSA no longer provides for a concentration of security breach notification by responsible parties established outside the EEA at the location of the EU representative. Instead, companies established outside the EEA must report security breaches – if the conditions are met – to the following authorities report to all competent supervisory authorities, regardless of whether and where they have appointed an EU representative.
The appropriately reworded paragraph reads:
However, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. For this reason the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State. This (These) notification(s) shall be the responsibility of the controller.