Certified Information Privacy Professional – Europe (CIPP/E) — Question 268

According to the European Data Protection Board, if a controller that is not established in the EU but still subject to the GDPR becomes aware of a personal data breach, which supervisory authority or authorities must be notified?

Answer options

• A. Only the supervisory authority of the EU member state in which the controller's EU representative (pursuant to Article 27) is established.
• B. Only one lead supervisory authority, as a controller benefits from the one-stop shop mechanism under the GDPR’s enforcement regime.
• C. Every supervisory authority of the EU member states where the controller is offering goods or services.
• D. Every supervisory authority for which affected data subjects reside in their EU member state.

Correct answer: A

Explanation

The correct answer is A because under GDPR, a non-EU controller must notify the supervisory authority in the EU member state where their representative is located. Options B, C, and D are incorrect as they misrepresent the requirement to notify only the relevant authority rather than multiple authorities or imply the use of the one-stop shop mechanism, which is not applicable in this case.