Breach notification for non-EU controllers

The EDPB has updated its guidance on personal data breaches to address the question of notification of breaches by controllers who are not established in the EU.

The guidelines now state that the mere presence of a representative in an EU state does not trigger the one-stop shop system and so non-EU controllers must notify a breach to the supervisory authority in each Member State where data subjects affected by the breach reside. An unfortunate burden for those organisations not established in the EU and one that reminds us of the importance of having effective data breach processes in place to ensure all relevant notifications are made on time.

The full guidelines can be found here.

If you are interested in reviewing your data breach processes, we would be happy to assist. Simply raise this with your usual contact or send a message to


Don't just take our word for it