WP29 Publishes Revised Guidelines on Personal Data Breach Notification Under GDPR

In October 2017, the Article 29 Working Party (WP29) issued guidelines on personal data breach notification under GDPR, which were submitted for public comment. The revised version was adopted 6 February 2018.

The revised guidelines do not differ much from the first published ones. However, one key point to be emphasized concerns the moment when a controller is deemed “aware” of the breach in the context of a breach affecting one of its processors. Under Article 33 of GDPR, a controller has the obligation to notify the competent national supervisory authority unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. And the controller is required to do so without undue delay, no later than 72 hours after having become aware of it.

In its original version of the guidelines, the WP29 Party had indicated that a controller was considered to be aware of it at the same time the processor became aware. This crucial point of clarification of the Regulation was (understandably) not well received among controllers and processors. Indeed, even with the most diligent processor, this would have left very little to no time for controllers to properly prepare their notification to the supervisory authority, increasing their risk of non-compliance. It would have also resulted in more contentious contract negotiations between controllers and processors on this sensitive point. The WP29 in its revised guidelines now indicated that controllers are deemed to be aware of a breach when it has been informed of it by the processor.

Other than this key point, what we summarized on the first version remains essentially the same. The focus of any breach response plan should be on protecting individuals and their personal data. Consequently, both controllers and processors are encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. It should also be remembered that while a breach is a type of security incident, the GDPR applies only where there is a breach of personal data. The contract between the controller and processor should specify how the requirements expressed in Article 33(2) should be met in addition to other provisions in the GDPR.

Finally, one noteworthy addition concerns breaches at non-EU establishments (at organizations subject to GDPR on the basis of article 3(2) – offering goods and services to data subjects in the Union or monitoring data subject behavior as far as said behavior takes place within the Union). The WP29 specifies that those organizations are, of course, subject to the notification requirement and recommends that notification be made to the supervisory authority in the Member State where the controller’s representative in the EU is established. It similarly applies to processors outside the EU which then must notify the controller.