To which supervisory authority should personal data breaches be reported?
Data breaches must be notified by the controller to the competent supervisory authority; in principle, the supervisory authority of the Member State in which the controller is established. Article 55 of the GDPR stipulates that: “Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.”
For organisations established in more than one Member State with a designated lead authority, the breach may be notified to the lead authority.
For cross-border processing, the supervisory authority of the main or sole establishment of the controller or processor shall be competent to act as the lead supervisory authority.
The European Data Protection Committee lists the different national data protection authorities.
Some data protection authorities in different EU Member States provide dedicated forms for reporting data breaches: Germany, Austria, Belgium, Spain, France, Ireland, Italy, Luxembourg, Czech Republic, Denmark, the Netherlands, Poland, and Portugal.
Regarding notifications to the French Data Protection Commission (CNIL), a special remote service has been set up in order to facilitate their processing. The controllers are therefore asked to tick a dedicated box to indicate whether the notification relates to the Strasbourg fire.