Learn which EU data protection authorities non-EU companies must notify if they have a GDPR personal data breach, according to European Data Protection Board guidance.
Table of Contents
Question
According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?
A. Only the supervisory authority of the EU member state in which the controller’s EU representative (pursuant to Article 27) is established.
B. Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.
C. Every supervisory authority of the EU member states where the controller is offering goods or services.
D. Every supervisory authority for which affected data subjects reside in their EU member state.
Answer
A. Only the supervisory authority of the EU member state in which the controller’s EU representative (pursuant to Article 27) is established.
Explanation
According to the European Data Protection Board, if a controller that is not established in the EU but is still subject to the GDPR becomes aware of a personal data breach, they must notify the supervisory authority of the EU member state where their designated EU representative is located, as required by GDPR Article 27.
The correct answer is A: Only the supervisory authority of the EU member state in which the controller’s EU representative (pursuant to Article 27) is established.
The other options are incorrect:
B is wrong because the one-stop-shop mechanism only applies to controllers with an establishment in the EU.
C and D are incorrect because a non-EU controller does not need to notify the authorities of every EU state where they offer goods/services or have affected data subjects. They only need to notify the single authority where their EU representative is based.
In summary, non-EU companies subject to GDPR must designate an EU representative in one member state and notify that state’s supervisory authority in the event of a personal data breach. This provides a streamlined breach notification process for controllers not established in the EU.
IAPP CIPP-E certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the IAPP CIPP-E exam and earn IAPP CIPP-E certification.