The European Data Protection Board (EDPB) launched a public consultation on data breach notifications for controllers not established in the EU. These controllers, when suffering a data breach affecting data subjects in multiple EU member states, must notify all supervisory authorities where affected data subjects reside. Following the consultation, paragraph 73 of the guidelines has been reworded to clarify the notification requirements for such controllers as follows:
“However, the mere presence of a representative in a Member State does not trigger the one-stop-shop system. For this reason the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State. This (these) notification(s) shall be the responsibility of the controller.”
The update confirms that controllers not established in the EU cannot use their representative to rely on the convenience of the one-stop-shop system, and that such controllers are responsible for notifying each relevant supervisory authority. As such, controllers established in the UK will continue to be subject to the requirement to notify all supervisory authorities where affected data subjects reside.