The contemporary European market witnesses a large number of highly operational business models that target European consumers and are, simultaneously, managed outside the European Union. There are businesses whose central administration or decision-making hubs are not established in any EU member state. Some of them neither control nor process data of their consumers within the EU. At the same time, some of these businesses are also subject to strict and enforceable international regulations in addition to the applicable EU legislation.
While the above constitute legitimate forms of doing business in the EU, there are some matters related to the compliance status of such business models in terms of personally identifiable information.
These would include the compliance response commitments in case of data incidents. For example, if an international commercial passenger carrier to or from Europe suffers a breach of its databases, the carrier shall anyway be subject to the obligations provided in Article 33 of the GDPR. Such a carrier needs to serve a series of notifications no later than 72 hours after having become aware of the data incident. These notifications shall be served irrespective of a lack of any EU corporate presence of the carrier. The mere fact that the corrupted database contained personal data of EU citizens suffices for the notification commitment to trigger. The practical issue that comes up in such a scenario is which authority needs to be notified – which will be “the supervisory authority” if the carrier and its data processing contractors lack any EU establishment?
Common sense business thinking would be that, in such a scenario, no notification would be due if the incident was immediately fixed and no rights or freedoms of any clients were exposed to a high risk. While this might be the advisable approach with regard to notifying data subjects, it is highly unlikely that such silence is compliant with the GDPR when it comes to notifying the supervisory authority.
The advisable and GDPR-compliant approach in the mentioned scenario requires equanimity in order to identify the exact “supervisory authority” to notify. The key criterion is the nationality or residence of the consumers whose data was collected and processed in the attacked database. If the database contained data of EU citizens or nationals of third countries who reside in the EU, the supervisory authority shall be determined following such information.
If there is more than one nationality in the database, it would become necessary to notify the supervisory authority of each EU member state whose citizens’ data might have been exposed to risk as a result of the data incident. Given the national laws of some member states, it might become necessary to even notify more than one local supervisory authority. Multiple notifications to multiple supervisory authorities across the EU might sound disproportionate but might be the only legal vehicle available to save further regulatory interventions or financial exposures for the carrier.
The notification requirement is still applicable even if the incident was immediately fixed after the carrier became aware of it. The incident itself needs to be reported to the supervisory authority, factually considering the risks to the rights and freedoms of the clients.
As for notifying the clients, it is a general rule that those whose data identifies them as citizens or residents need to be notified. The lack of an EU establishment does not change this requirement. However, the possible disproportionate efforts required on the part of the carrier to do so or the mentioned immediate fix after the incident may serve as legitimate reasons for the carrier to not notify the clients/data subjects (unlike the supervisory authorities).
Determining the lead supervisory authority and the associated one-stop-shop mechanism seem to be a challenging exercise and would primarily depend on the facts of the case. The number of EU citizens affected by the data incident or other objective criteria – such as the predominant commercial routes within the EU – may be among the criteria to determine the lead supervisory authority.
By Mitko Karushkov, Partner, Karushkov Legal Solutions
This article was originally published in Issue 12.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.