European Union: Adopted amendment to Guidelines on personal data breach notification under GDPR

On 10 October 2022, the European Data Protection Board (EDPB) adopted the "Guidelines 09/2022 on personal data breach notification under GDPR". The EDPB amended paragraph 73 of the previous Guidelines to specify the data breach reporting obligations of data controllers that are not established in the European Union (EU) but are processing the data of EU residents. In particular, the amendment notes that the presence of a data controller representative in a Member State does not trigger the one-stop-shop system, which allows the reporting of a data breach only to the EU lead supervisory authority. The data controllers not established in the EU will have to report the breach to every authority where the affected data subjects reside. Furthermore, the notification will have to comply with the mandate given by the controller to its representative and be under the controller's responsibility.