EDSA: Ver­si­on 2 of the Breach Noti­fi­ca­ti­on Gui­de­lines: no con­cen­tra­ti­on at the EU representative.

The Euro­pean Data Pro­tec­tion Aut­ho­ri­ty EDSA has published its “Gui­de­lines 9/2022 on per­so­nal data breach noti­fi­ca­ti­on under GDPR” in the ver­si­on dated March 28, 2023. Ver­si­on 2 published. The Ver­si­on 1 dated Octo­ber 10, 2022. A del­ta­view of the two ver­si­ons is available here (PDF).

The chan­ges in the new ver­si­on – which was pre­ce­ded by a public con­sul­ta­ti­on – con­cern only one, but an important point. Unli­ke the first ver­si­on, the EDSA no lon­ger pro­vi­des for a con­cen­tra­ti­on of secu­ri­ty breach noti­fi­ca­ti­on by respon­si­ble par­ties estab­lished out­side the EEA at the loca­ti­on of the EU repre­sen­ta­ti­ve. Instead, com­pa­nies estab­lished out­side the EEA must report secu­ri­ty brea­ches – if the con­di­ti­ons are met – to the fol­lo­wing aut­ho­ri­ties report to all com­pe­tent super­vi­so­ry aut­ho­ri­ties, regard­less of whe­ther and whe­re they have appoin­ted an EU repre­sen­ta­ti­ve.

The appro­pria­te­ly rewor­ded para­graph reads:

Howe­ver, the mere pre­sence of a repre­sen­ta­ti­ve in a Mem­ber Sta­te does not trig­ger the one-stop-shop system. For this rea­son the breach will need to be noti­fi­ed to every super­vi­so­ry aut­ho­ri­ty for which affec­ted data sub­jects resi­de in their Mem­ber Sta­te. This (The­se) notification(s) shall be the respon­si­bi­li­ty of the controller.