EDPB Guidelines 9/2022 on personal data breach notification
On 18 October 2022, the EDPB published an updated version of the WP29 guidelines on personal data breach notification that where last revised on 6 February 2018 (WP250rev01). This updated version was under public consultation until 29 November 2022.
The goal of this update is to clarify the situation for controllers and processors which are not established in the EU. The rest of the previous guidelines remains unchanged. This update is an opportunity to recall key principles behind data breach notifications.
What is a personal data breach? As defined by the GPDR, a personal data breach occurs when a breach of security leads to the accidental destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed (article 4(12) GDPR). Data breaches are distinguished by the EDPB in three distinct types: confidentiality breach (unauthorized access/disclosure to personal data), integrity breach (alteration of the data) and availability breach (unauthorized access leading to destruction of the data).
When must a controller notify the supervisory authority? According to article 33(1) GDPR, data controllers must notify the data breach to the supervisory authority, when feasible, not later than 72 hours after becoming aware of the breach.
The EDPB considers that since controllers are required by Recital 87 of the GDPR to implement all appropriate technical protection and organizational measures, they also have an obligation to ensure that they will be aware of any breaches in a timely manner. When exactly the data controller becomes aware of the breach depends on the context. Examples are provided in the guidelines in that respect. The EDPB also recalls that processors also have a key role to play, as part of their obligation to cooperate with the controller. In particular, processors must notify controllers “without undue delay” in case of a data breach.
What information should be notified to the supervisory authority (SA)? The content of the notification is detailed in article 33(3) of the GDPR. It must notably contain information regarding the number and categories of data subjects impacted (e.g.; children and other vulnerable groups such as people with disabilities, employees, or customers), the type of data records (financial, educational, health…) and the measures implemented by the controller to remediate. If this information is not available, this should not prevent the notification. Controllers have the possibility to inform the SA of any updates regarding the breach and their risk assessment (notification by phases).
What if the notification is delayed? Delays are permissible but the controller must expose the reasons of the delay in its notification. For example, where several confidentiality breaches occur at the same time, this may prevent the controller from notifying all the breaches in due time.
What about cross-border breaches regarding controllers established in the EU? When a data breach takes place in the context of a cross-border processing, the controller established in the EU should notify its lead supervisory authority only, in accordance with article 56 of the GDPR. That means the notification is not necessarily made to the supervisory authority(ies) where the affected data subjects are located. On the other hand, if the controller has any doubt regarding the identity of the lead SA, it should at a minimum notify the SA(s) where the breach took place by application of article 55 of the GDPR.
What about controllers which are not established in the EU? With respect to controllers which do not have an establishment in the EU, the EDPB overturns the previous position of the WP29. When a controller experiences a breach, has no establishment in the EU while being subject to the GDPR, its EU representative must notify each competent SA where affected data subjects are located. Therefore, according to the EDPB, the notification requirement is not limited to the SA where the EU representative of the controller is established but extends to each SA in a Member State where data subjects were affected.
When is a notification not required? Notifying a data breach to the SA is not required when it will “unlikely result in a risk to the rights and freedoms” of data subjects. For example, if the personal data has been made unintelligible for unauthorized individuals and the controller has a backup of such data, a confidentiality breach of the encrypted data would not need to be notified to the SA. However, the EDPB insists that circumstances may change over time and controllers must be able to re-evaluate the risks and notify the SA if the data is found to be compromised.
When should data subjects be informed and what information should be communicated? Data subjects affected by the breach must be notified when there is likely a high risk for their rights and freedoms. Such notification should take place without undue delay. Examples of data breaches that would result in a high risk for data subjects is provided by the EDPB as an annex to these guidelines.
How must the risk assessment be carried out? The controller must conduct the risk assessment along with all steps taken to contain or remediate the breach. The EDPB provides several criteria to be considered such as the nature and sensitivity of the data, the ease of identification of individuals or the severity of the consequences of the breach for the individuals as well as the category and number of data subjects impacted.
How should data controllers document the breach? Pursuant to article 33(5) of the GDPR controllers must document data breaches. Such documentation is part of the accountability obligations and is mandatory, even for the breaches that have not been notified to the SA. Controllers must determine the structure of this documentation and the applicable retention period. This documentation should be construed as a useful tool for controllers to justify the delay of its notification as each step taken regarding the breach must be described.