E Point Perfect
Law \ Legal

EDPB Publishes Updated Guidelines on Personal Data Breach Notification and Identifying the Lead Supervisory Authority


On October 18 and 21, 2022, the European Data Protection Board (“EDPB“) published updated guidelines (i) on personal data breach notification under the GDPR and (ii) on identifying a controller or processor’s lead supervisory authority, respectively. Both guidelines are in draft form and are open to public consultation until the end of November.

  • Guidelines on personal data breach notification (which we discussed in our previous blog post)

The EDPB changed the guidelines to clarify that controllers and processors not established in the EU that suffer a personal data breach affecting data subjects in several EU Member States have to notify all the supervisory authorities where the data subjects reside.  They cannot benefit from the GDPR’s “one-stop-shop”, which allows controllers and processors established in the EU to only notify the (lead) supervisory authority of the Member State where their main establishment is located.  Whether these rules can be effectively enforced, assuming they appear in the finalized guidance, is an open question and authorities may struggle to apply them in practice.

  • Guidelines on identifying a controller or processor’s lead supervisory authority

The EDPB changed the guidelines to clarify that joint controllers cannot have one common main establishment.  Each controller may have a main establishment and benefit from the “one-stop-shop”, but they cannot agree to have a combined main establishment and lead supervisory authority.  This means, for example, that if joint controllers suffer a data breach that is notifiable under the GDPR, each controller has to notify the data breach to their respective competent supervisory authority.

The Covington Privacy and Cyber team will keep monitoring the guidance released by the EDPB and is happy to assist with any inquiries on the topic. Please contact us if you would like to respond to the public consultation, or if you would like advance on the draft guidelines.


Source link

Related posts

No Pay, No Problem: New York Federal Court Compels Arbitration Despite Prior Unrelated Failure to Pay Arbitration Fees

专利与集采链接:《关于加强医药集中采购领域知识产权保护的意见》要点解读 – LexBlog

Texas Court Addresses MSA Indemnity Obligations

English Courts’ Stance on Low-Value Data Breach Claims Continues to Harden, But There May be Hiccups Along the Way

New Copyright Royalty Board Chief Judge Named – Looking at the Issues Considered by the CRB of Importance to Media Companies

5 Trends to Watch: 2023 Venture Capital