The European Data Protection Board (EDPB) Guidelines 01/2021 on Examples regarding Personal Data Breach Notification [Version 2.0] contain useful information regarding the assessment of the data breach notification obligation under article 33 GDPR and article 34 GDPR. Furthermore, these guidelines include a list of various exemplary scenarios and considerations as to whether or not there is an obligation to notify the competent supervisory authority (article 33 GDPR) and/or an obligation to inform the data subjects (article 34 GDPR) based on the assessment of the specific risks to the rights and freedoms of natural persons.
A few days after the effective date of the EU-DSGVO end of May 2018, the non profit organization “None Of Your Business” (NOYB) filed a complaint in accordance with article 80 EU GDPR against Google LLC (CA 94043, United States) with the French Data protection authority (CNIL) on behalf of a person affected as a user of a smartphone with Google’s Android operating system. At the same time, the NGO “La Quadrature du Net” (LQDN) filed a complaint with the French Data protection authority (CNIL) against Google LLC. This complaint in accordance with article 80 EU-DSGVO was made on behalf of 9973 affected persons resident in France.
Based on these two complaints, in its decision made on January 21, 2019, the French data protection authority (CNIL) imposed a financial penalty of 50 million Euros (according to article 83 GDPR) against Google LLC for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.