Data Breach Notifications Across Europe: EDPB's list published!

This significant update nearly went unnoticed as all attention was focused on the final text of the AI Act. The #EDPB finally published the list detailing the notification processes of all relevant EEA data protection authorities (DPAs). In connection with the amended guideline 9/2022, this means that a non-EU company may need to report to 45 DPA’s in 26 languages.

It was emphasized in the public consultation that such complexity is nearly impossible to deal with in 72 hours, increases the cost of a data breach notification immensely and is disadvantaging non-EU companies. Most important it even jeopardises the concept of the data breach notification by making it an unworkable burden with the consequence that non-EU companies may be tempted not to report a data breach and therefore being forced into taking risk of non-compliance and facing GDPR fines for doing so.

The list published by the EDPB informs about:

🗣️ Accepted Languages: Different countries have specific language requirements for notifications. 📧 How to Submit: Various methods, such as online forms, email contacts, and postal addresses, are available for reporting breaches.

Here’s a quick overview of notification procedures for some major EU countries:

  • Germany: Notification processes vary among DPAs, with some accepting only German, while others also accept English.
  • France: Notifications are accepted exclusively in French.
  • Italy: Notifications accepted in Italian.
  • Spain: Notifications accepted in Spanish or English.
  • Poland: Notifications must be in Polish.
  • Netherlands: Notifications accepted in Dutch or English.
  • Sweden: Notifications accepted in Swedish or English.
  • Belgium: Notifications accepted in French, Dutch, or German.

For the complete list, please refer to the link.

Prighter is actively working on simplifying the data breach handling processes.