European Union: Adopted Version 2 of Guidelines on personal data breach notification under GDPR

On 28 March 2023, the European Data Protection Board (EDPB) adopted the Version 2 of the Guidelines 09/2022 on personal data breach notification under GDPR, amending the guidelines to specify the obligations of data controllers concerning data breach notifications at non-EU establishments. The Guidelines specify that the presence of a data controller representative in a Member State does not trigger the one-stop-shop system, which allows reporting a data breach only to the EU lead supervisory authority. The data controllers not established in the EU will have to report the breach to every authority where the affected data subjects reside. The amendment to the Guidelines clarifies that the data controller is responsible for reporting data breaches and removes the section specifying that the reporting should be done in accordance with the mandate given to the representative of the data controller in the EU.