A data breach when having a GDPR Representative: Who notifies?

For the past two months, I worked as a legal intern for Privacy Company. Amongst other things, I have engaged myself with international data transfers, DPO tasks, EU-Representative obligations and (the notification obligation of) personal data breaches. Especially something about the last two subjects sparked my interest.

Article 27 GDPR: A local point of contact for data subjects in the EU

A key requirement of the GDPR is article 27. It obliges organisations without EU establishments to designate an ‘EU Representative’ (‘GDPR Representative’) when certain conditions are met. The EU Representative acts in accordance with a written mandate. Functioning as a local contact point, the Representative facilitates smooth communication between the organisation, supervisory authorities and data subjects. In light of Brexit, when organisations from the United Kingdom are not established in the EU, article 27 GDPR becomes increasingly important. Overall, one of the GDPR Representative’s main functions is to ensure that data subjects can effectively exercise their rights [1].

Communicating a data breach

It seems to me that notification obligations of personal data breaches are also an important part of the GDPR, ensuring the protection of data subjects and their personal data [2]. Article 33 and 34 GDPR set strict requirements on data breach notification duties. Organisations must notify supervisory authorities within 72 hours if they experience a serious data breach. If there is a high risk, organisations also have to communicate a data breach to affected data subjects. Moreover, not adhering to the notification obligations under the GDPR can result in high fines [3]. The number of data breach notifications has significantly increased since the introduction of article 33 and 34 GDPR. Considering this increase, it can be expected that these obligations will only gain more relevance in the upcoming years. With the aim of protecting data subjects, there seems to be quite some attention to the interpretation of articles 27, 33 and 34 GDPR. This follows from (online) discussions, recitals of the GDPR (80 and 85-88), and guidelines and recommendations of both the WP29 [4] and supervisory authorities like at the British ICO and the Dutch AP

Communicating a data breach when having a GDPR Representative

In the case of a serious data breach, the question arises of whether the organisation with no EU establishment, or its GDPR Representative is responsible for notifying supervisory authorities and data subjects.  

I think the answer to this question depends on agreements made between the organisation and the GDPR Representative. Moreover, the type of data breach, communication channels of the organisation, the amount of data subjects, and the language(s) that data subjects speak, could have ramifications as to who notifies the parties involved.

I expected there to already be opinions on this topic. However, as far as I could judge in a short period of time, both article 27 and recital 80 of the GDPR, and EDPB guidelines seem to not provide definite answers [5]. WP29 recommends the notification to be made to the supervisory authority in the member state where the EU Representative is established [6]. However, who should exactly report the breach and who should communicate with data subjects seems to be open for interpretation. Additionally, many Q&A’s, like the one of the IAPP, barely seem to address this topic. Googling the (many different types of) GDPR Representative service providers.undefined

(When) will the online discussion start?

I understand that this subject will not make the privacy priority list yet. However, it occurs to me that in the context of the GDPR Representative service, the topic of data breach notifications does not seem to be mentioned in the market at all. As an organisation, this is something to inquire when planning to designate a GDPR Representative.  

I wonder whether, and if so when, an online dialogue will start. Perhaps this blog can contribute to the discussion. Either way, a finding that seems worth sharing after a fun internship at Privacy Company.

[1] WP29 Guidelines 3/2018 on the territorial scope of the GDPR (Art 3) p. 26-27.

[2] Recital 85-88 GDPR and WP 29 Guidelines on Personal data breach notification under Regulation 2016/679 p. 5.

[3] WP29 Guidelines on Personal data breach notification under Regulation 2016/679 p. 10.

[4] WP29 Guidelines 3/2018 on the territorial scope of the GDPR (Art 3) and WP 29 Guidelines on Personal data breach notification under Regulation 2016/679.

[5] WP29 Guidelines 3/2018 on the territorial scope of the GDPR (Art 3) p. 27 & WP 29 Guidelines on Personal data breach notification under Regulation 2016/679 p. 18.

[6] WP29 Guidelines on Personal data breach notification under Regulation 2016/679 p. 18.

Published on
5/13/2020
by
Marije
GDPR Representative; Privacy Company; Supervisory authorities; Data subjects; Data subject rights; Data breach; Article 27 GDPR