What’s wrong with personal data breaches under the GDPR?

This week, FEDMA submitted its contribution to the EDPB’s targeted consultation on the Guidelines 9/2022 on personal data breach notification under GDPR.

Compared to other consultations from the EDPB, this call for feedback addresses a minor update to the guidelines, aiming to clarify the situation for controllers and processors which are not established in the EU.

Specifically, the additional draft paragraph provides that in case of a personal data breach, a non-EU organisation will need to notify “every single authority for which affected data subjects reside in their Member State”, regardless of the “mere presence of a representative in a Member State”.

In its feedback to the EDPB, FEDMA pointed out that the proposed update would result in strengthening existing hurdles that companies face when notifying personal data breaches, including:

  • Significant bureaucratic burdens when navigating through different national notification form systems;
  • the lack of clarity on the cases when DPAs would accept a delayed notification;
  • overreporting data breaches, often with an excessive amount of information, for the fear of being sanctioned, thus “swamping” DPAs with thousands of unnecessary or trivial notifications.

Read FEDMA’s full contribution here.