The General Data Protection Regulation (GDPR) introduces a duty for controllers to notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The GDPR also requires controllers to communicate the personal data breach to the affected data subjects without undue delay, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects in the EU or the monitoring of their behaviour as far as their behaviour takes place within the EU.

The GDPR provides that where a controller or a processor is not established in the EU, but is subject to the GDPR, the controller or the processor shall designate in writing a representative in the EU. The representative shall be established in one of the member states where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. The representative shall act on behalf of the controller or the processor and may be addressed by any supervisory authority or data subject on any issues related to the processing of personal data under the GDPR.

The GDPR also establishes a one-stop shop mechanism, which aims to ensure the consistent and effective application of the GDPR across the EU. The one-stop shop mechanism allows a controller or a processor with establishments in several member states to have a single supervisory authority as its interlocutor, which is the supervisory authority of the main establishment or of the single establishment of the controller or processor. The one-stop shop mechanism also enables a controller or a processor that is not established in the EU, but is subject to the GDPR, to deal with a single lead supervisory authority, which is the supervisory authority of the member state where the representative of the controller or processor is established.

Based on the GDPR and the guidelines of the European Data Protection Board (EDPB), if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, the controller must notify the supervisory authority of the EU member state in which the controller’s EU representative (pursuant to Article 27) is established. This is the only supervisory authority that the controller must notify, as the controller benefits from the one-stop shop mechanism and has a single lead supervisory authority. The controller does not need to notify every supervisory authority of the EU member states where the controller is offering goods or services or where the affected data subjects reside, as this would be contrary to the principle of consistency and the aim of simplification of the one-stop shop mechanism.

References:

GDPR, Articles 3, 4, 27, 28, 29, 33, 34, 51, 55, 56, 57, 58, 60, 61, 62, 63, 64, 65, 66, 67, and 68.

EDPB Guidelines 9/2022 on personal data breach notification under GDPR, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, and 16.

EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, pages 19, 20, 21, 22, 23, 24, 25, 26, 27, and 28.

EDPB Guidelines 3/2018 on the territorial scope of the GDPR, pages 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, and 15.