Data Breaches
Cross-border personal data breaches
In some cases, personal data breaches may be linked to several EU Member States. In other words, a cross-border personal data breach. For example, if a company has customers in several Member States and all customer data is collected within one system at its head office, and a personal data breach occurs leading to unauthorised access to the personal data.
Responsible supervisory authority in case of cross-border personal data breaches
It is important for companies carrying out cross-border processing of personal data to know which is their lead supervisory authority. It is usually the one of the country in which the company has its principal place of business. For example, if a company that sells products within the Nordic region and has its head office in Denmark, then Denmark is the main place of business. However, in some cases, it may be another country’s supervisory authority that is responsible anyway, if the company makes decisions regarding GDPR about the purpose, etc. in another EU country.
One important reason why companies need to know which supervisory authority is responsible, is to be able to report personal data breaches in time. According to the GDPR, this must be done within 72 hours of discovery. If the company does not know which authority to contact in advance, it may take valuable time from them.
In case of a cross-border personal data breach: Data subjects can make notifications to any supervisory authority
If a data subject wishes to file a complaint regarding a violation of the GDPR, they can submit it to any supervisory authority in the EU/EEA area. The supervisory authority may then conclude that another country’s supervisory authority is more appropriate to take over the case and, in such cases, they transfer it. Therefore, it is not as important for data subjects to know which country the company has its main establishment or which is the lead supervisory authority.
Supervision following complaints by data subjects from several countries: Direct marketing in violation of GDPR
The Swedish Authority for Privacy Protection carried out an oversight against a company after individuals filed complaints with the supervisory authorities in Italy, Poland and the UK. Since the company has its head office in Sweden, the Swedish data protection authority is responsible and thus the cases concerning the complaints were transferred there. The company had to pay a fine of SEK 350 000 for not ceasing direct marketing, among other things, when they received objections from the data subjects.
More information about GDPR
Carrying out a risk assessment when personal data occurs
When a personal data breach occurs, the company must carry out a risk assessment. Thereafter, the company can better determine whether they need to inform the data subjects or the responsible data protection authority about the personal data breach. The risk assessment should include, inter alia, information on the nature of the personal data breach, the importance of the personal data, the impact it may have on data subjects and whether data subjects are an additional group worthy of protection (such as children, the elderly or persons with disabilities).