European Data Protection Board’s comment on Cathay Pacific’s data leak & potential GDPR violation
Below is the question and answers I got from European Data Protection Board, regarding whether the recent Cathay Pacific data breach potentially constitutes a violation of the General Data Protection Regulation of the European Union.
Q: Assuming the leaked data involve EU citizen’s data information, may I ask if Cathy Pacific required to report to any of the European Data Protection offices? Also, if they fail to do so, do it constitutes a potential violation of GDPR?
Concerning GDPR applicability, when a company is not established in the EU, the GDPR applies when this company offers services to data subjects in the EU. So if the airline based in Hong Kong offers services to data subjects in the EU, the GDPR will apply.
The obligation under the GDPR is to notify a data breach to the supervisory authority when it represents a risk for the rights and freedoms of the individuals. In addition, the GDPR requires the communication of the data breach to the individuals affected if it represents a high risk for the individuals. Regarding the notification to the supervisory authority, the EDPB is of the opinion that when the company has an establishment in the EU, it can be made to the lead supervisory authority. In case there is no…
