引言
自2018年《通用數據保護條例》(GDPR)生效以來,其嚴格的數據保護要求對全球企業,特別是與歐盟市場有業務往來的中資企業,帶來了深遠影響。GDPR的核心之一是其對個人數據泄露的報告要求,即在知悉數據泄露後的72小時內向監管機構報告。然而,隨著數字經濟的快速發展和數據處理實踐的日益複雜,歐盟委員會認識到現有框架在某些方面可能給企業帶來不必要的合規負擔。為此,歐盟委員會於2025年11月19日發布了《關於簡化數字立法框架的提案》(Proposal for Regulation on simplification of the digital legislation,簡稱“《數字綜合法案》”),旨在通過對GDPR等數字法規進行有針對性的修訂,以實現“一個更簡單、更快捷的歐洲”。
本文將深入分析《數字綜合法案》中關於數據泄露報告機制的修訂提案,包括其背景、具體內容、對中資企業的潛在影響,並提出相應的戰略啟示和合規建議。
核心內容分析
《數字綜合法案》對GDPR數據泄露報告機制的修訂主要體現在以下幾個方面:
1. 報告門檻的調整
根據現有GDPR第33條規定,數據控制者在知悉個人數據泄露後,除非該泄露“不太可能對自然人的權利和自由造成風險”,否則必須在72小時內通知監管機構。而《數字綜合法案》的提案旨在使向監管機構報告數據泄露事件的標准與向數據主體通知泄露事件的標准保持一致,即只有當數據泄露“可能導致對自然人權利與自由的高風險”時,才需要向主管監管機構報告。這意味著,對於那些不太可能對個人造成高風險的數據泄露事件,企業將不再需要強制性地向監管機構報告,從而有望減輕企業的合規負擔。
2. 報告時限的延長
《數字綜合法案》提案將數據泄露報告的時限從目前的72小時延長至96小時(可行時),逾期須說明理由。這一調整為企業提供了更充裕的時間來評估數據泄露的性質、範圍和影響,並采取初步的補救措施,從而提交更准確和全面的報告。然而,這並不意味著企業可以放松警惕,仍需在知悉數據泄露後“立即”啟動應急響應程序。
3. 建立事件報告“單一入口”
鑒於目前歐盟存在多部橫向或部門性法規,要求企業使用不同的技術手段和渠道向不同的監管機構報告數據安全事件,《數字綜合法案》推動建立事件報告“單一入口”(single entry point for incident reporting)。這一機制的建立旨在簡化報告流程,避免企業在面對同一事件時需要向多個機構重複報告,從而提高報告效率並降低行政成本。歐洲數據保護委員會(EDPB)和歐洲數據保護監督員(EDPS)對此表示支持,認為這將有助於簡化控制者的合規流程。
4. 制定通用模板和“高風險情形”清單
《數字綜合法案》指出,應要求EDPB制定事件報告的通用模板,並列明“何種情形通常構成高風險”的通用清單。這將為企業提供更清晰的指引,幫助其判斷何時需要報告數據泄露以及如何進行報告,從而提高報告的准確性和一致性。
對中資企業的影響
《數字綜合法案》中關於數據泄露報告機制的修訂,對在歐盟開展業務或處理歐盟居民個人數據的中資企業將產生以下潛在影響:
1. 合規負擔的減輕與挑戰並存
報告門檻的提高有望減輕企業在面對低風險數據泄露事件時的報告負擔。然而,如何准確判斷“可能導致對自然人權利與自由的高風險”將成為新的挑戰。企業需要對內部風險評估機制進行調整和優化,確保能夠准確識別和評估數據泄露的風險等級。EDPB即將發布的通用模板和“高風險情形”清單將是重要的參考依據。
2. 應急響應機制的調整
報告時限的延長為企業提供了更多准備時間,但同時也要求企業在內部應急響應流程中,更加注重對數據泄露事件的深入調查和分析。企業需要重新審視並調整其數據泄露應急響應計劃,確保在96小時內能夠完成必要的評估、補救和報告准備工作。這包括但不限於:事件發現與確認、影響評估、遏制與恢複、根本原因分析以及與監管機構和數據主體的溝通策略。
3. 報告流程的簡化與統一
“單一入口”的建立將是企業報告流程的一大福音,有望解決目前多頭報告的複雜性問題。中資企業應密切關注“單一入口”的建設進展和具體操作細則,以便在未來能夠高效地履行報告義務。在此之前,企業仍需按照GDPR的現有規定向主管機構報告數據泄露事件。
4. 持續關注立法動態與指南
《數字綜合法案》目前仍處於提案階段,最終文本可能還會發生變化。此外,EDPB將發布的通用模板和指南將對具體實踐產生重要影響。中資企業需要持續關注歐盟立法機構和數據保護機構的最新動態,及時調整內部合規策略。
合規建議
為應對GDPR數據泄露報告機制的潛在修訂,中資企業應采取以下合規建議:
-
優化數據泄露風險評估機制:根據“可能導致對自然人權利與自由的高風險”這一新標准,重新審視並優化內部數據泄露風險評估流程。加強對數據泄露事件的識別、分類和風險等級評估能力,確保能夠准確判斷是否需要向監管機構報告。
-
修訂應急響應計劃:將數據泄露報告時限延長至96小時的因素納入應急響應計劃,並據此調整內部調查、補救和報告准備的時間表。加強內部團隊的培訓,確保其熟悉新的報告要求和流程。
-
關注“單一入口”建設:密切關注歐盟“單一入口”的建設進展和具體操作指南。在“單一入口”投入使用後,積極利用該機制簡化報告流程,提高報告效率。
-
參考EDPB指南:EDPB將發布的事件報告通用模板和“高風險情形”清單將是企業合規的重要依據。企業應及時學習和采納這些指南,將其融入內部合規實踐中。
-
加強內部數據治理:從源頭上減少數據泄露的風險,包括加強數據加密、訪問控制、員工培訓等措施。建立健全的數據治理體系,提升數據安全防護能力。
-
尋求專業法律意見:鑒於GDPR修訂的複雜性和動態性,建議中資企業定期尋求專業的法律意見,確保其合規策略與最新法規要求保持一致。
結論
《數字綜合法案》對GDPR數據泄露報告機制的修訂,是歐盟在平衡數據保護與企業合規負擔方面的一次重要嘗試。報告門檻的提高、時限的延長以及“單一入口”的建立,有望為中資企業帶來一定的合規便利。然而,企業仍需積極應對新的挑戰,優化內部風險評估和應急響應機制,並持續關注立法動態和監管指南,以確保在不斷變化的歐盟數據保護環境中保持合規。通過前瞻性的准備和積極的調整,中資企業將能夠更好地適應GDPR的新要求,有效管理數據泄露風險,並維護其在歐盟市場的聲譽和競爭力。
GDPR Revision Outlook (IV): Data Breach Reporting Threshold Raised, Timeline Extended, Enterprises to Face Major Changes in Emergency Response
Introduction
Since its entry into force in 2018, the General Data Protection Regulation (GDPR) has profoundly impacted global enterprises, especially Chinese-funded enterprises with business dealings in the EU market. A core aspect of GDPR is its requirement for reporting personal data breaches, mandating notification to supervisory authorities within 72 hours of becoming aware of a breach. However, with the rapid development of the digital economy and increasingly complex data processing practices, the European Commission recognized that the existing framework might impose unnecessary compliance burdens on businesses in some areas. To address this, on November 19, 2025, the European Commission published the “Proposal for Regulation on simplification of the digital legislation,” also known as the “Digital Omnibus,” aiming to achieve a “simpler and faster Europe” through targeted revisions to GDPR and other digital regulations.
This article will deeply analyze the proposed revisions to the data breach reporting mechanism within the Digital Omnibus, including its background, specific content, potential impacts on Chinese-funded enterprises, and strategic implications, along with compliance recommendations.
Core Content Analysis
The Digital Omnibus’s revisions to the GDPR data breach reporting mechanism are primarily reflected in the following aspects:
1. Adjustment of Reporting Thresholds
Under the existing GDPR Article 33, data controllers must notify the supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” The Digital Omnibus proposal aims to align the standard for reporting data breaches to supervisory authorities with the standard for notifying data subjects, meaning that a report to the competent supervisory authority will only be required when the data breach “is likely to result in a high risk to the rights and freedoms of natural persons”. This implies that for data breaches unlikely to pose a high risk to individuals, enterprises will no longer be mandated to report to supervisory authorities, potentially easing their compliance burden.
2. Extension of Reporting Timelines
The Digital Omnibus proposal extends the data breach reporting timeline from the current 72 hours to 96 hours (where feasible), with reasons required for any delay. This adjustment provides enterprises with more time to assess the nature, scope, and impact of the data breach, and to take initial remedial actions, thereby submitting a more accurate and comprehensive report. However, this does not mean enterprises can lower their guard; they still need to initiate emergency response procedures “immediately” upon becoming aware of a data breach.
3. Establishment of a “Single Entry Point” for Incident Reporting
Given the current situation in the EU where multiple horizontal or sectoral regulations require enterprises to report data security incidents to different supervisory authorities using various technical means and channels, the Digital Omnibus promotes the establishment of a “single entry point for incident reporting”. The aim of this mechanism is to simplify the reporting process, preventing enterprises from having to report the same incident repeatedly to multiple authorities, thereby improving reporting efficiency and reducing administrative costs. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) support this, believing it will help simplify compliance processes for controllers.
4. Development of a General Template and a List of “High-Risk Scenarios”
The Digital Omnibus states that the EDPB should be required to develop a general template for incident reporting and to list “what circumstances typically constitute a high risk”. This will provide clearer guidance for enterprises, helping them determine when to report a data breach and how to do so, thereby improving the accuracy and consistency of reporting.
Impact on Chinese-funded Enterprises
The revisions to the GDPR data breach reporting mechanism in the Digital Omnibus will have the following potential impacts on Chinese-funded enterprises operating in the EU or processing personal data of EU residents:
1. Reduced Compliance Burden Coupled with New Challenges
The raised reporting threshold is expected to reduce the reporting burden on enterprises for low-risk data breaches. However, accurately determining “likely to result in a high risk to the rights and freedoms of natural persons” will become a new challenge. Enterprises need to adjust and optimize their internal risk assessment mechanisms to ensure they can accurately identify and evaluate the risk level of data breaches. The general template and list of “high-risk scenarios” to be published by the EDPB will serve as important references.
2. Adjustment of Emergency Response Mechanisms
The extended reporting timeline provides enterprises with more preparation time but also requires them to focus more on in-depth investigation and analysis of data breach incidents within their internal emergency response processes. Enterprises need to review and adjust their data breach emergency response plans to ensure that necessary assessments, remediation, and report preparation can be completed within 96 hours. This includes, but is not limited to: incident discovery and confirmation, impact assessment, containment and recovery, root cause analysis, and communication strategies with supervisory authorities and data subjects.
3. Simplification and Unification of Reporting Processes
The establishment of a “single entry point” will be a significant benefit for enterprise reporting processes, expected to resolve the current complexity of multi-agency reporting. Chinese-funded enterprises should closely monitor the progress of the “single entry point” construction and its specific operational details to efficiently fulfill their reporting obligations in the future. Until then, enterprises must continue to report data breaches to the competent authorities in accordance with existing GDPR provisions.
4. Continuous Monitoring of Legislative Developments and Guidance
The Digital Omnibus is currently in the proposal stage, and the final text may still change. Furthermore, the general template and guidelines to be published by the EDPB will significantly impact practical implementation. Chinese-funded enterprises need to continuously monitor the latest developments from EU legislative bodies and data protection authorities and adjust their internal compliance strategies accordingly.
Compliance Recommendations
To address the potential revisions to the GDPR data breach reporting mechanism, Chinese-funded enterprises should adopt the following compliance recommendations:
-
Optimize Data Breach Risk Assessment Mechanisms: Review and optimize internal data breach risk assessment processes based on the new standard of “likely to result in a high risk to the rights and freedoms of natural persons.” Strengthen capabilities for identifying, classifying, and assessing the risk level of data breaches to accurately determine whether reporting to supervisory authorities is required.
-
Revise Emergency Response Plans: Incorporate the extended data breach reporting timeline of 96 hours into emergency response plans and adjust internal investigation, remediation, and report preparation schedules accordingly. Enhance training for internal teams to ensure they are familiar with the new reporting requirements and processes.
-
Monitor “Single Entry Point” Development: Closely follow the progress of the EU’s “single entry point” construction and specific operational guidelines. Once the “single entry point” is operational, actively utilize this mechanism to simplify reporting processes and improve reporting efficiency.
-
Refer to EDPB Guidelines: The general template for incident reporting and the list of “high-risk scenarios” to be published by the EDPB will be crucial for enterprise compliance. Enterprises should promptly study and adopt these guidelines, integrating them into their internal compliance practices.
-
Strengthen Internal Data Governance: Reduce the risk of data breaches at the source by implementing measures such as enhanced data encryption, access control, and employee training. Establish a sound data governance system to improve data security protection capabilities.
-
Seek Professional Legal Advice: Given the complexity and dynamic nature of GDPR revisions, Chinese-funded enterprises are advised to regularly seek professional legal advice to ensure their compliance strategies remain aligned with the latest regulatory requirements.
Conclusion
The Digital Omnibus’s revisions to the GDPR data breach reporting mechanism represent a significant effort by the EU to balance data protection with the compliance burden on enterprises. The raised reporting threshold, extended timeline, and establishment of a “single entry point” are expected to bring some compliance convenience to Chinese-funded enterprises. However, enterprises still need to actively address new challenges, optimize internal risk assessment and emergency response mechanisms, and continuously monitor legislative developments and regulatory guidelines to ensure compliance in the evolving EU data protection landscape. Through proactive preparation and active adjustments, Chinese-funded enterprises will be better able to adapt to the new GDPR requirements, effectively manage data breach risks, and maintain their reputation and competitiveness in the EU market.
聲明
本文僅為交流探討之目的,不代表廣悅律師事務所或其律師出具的任何形式之法律意見或建議。如需轉載或引用本文的任何內容,請與本所溝通授權事宜,並於轉載或引用時注明出處。如您有意就相關業務進一步交流或探討,或需要專業的法律支持,歡迎與本所聯系。
聯系人:葉文女士
期待與您的進一步交流!
廣悅律師事務所介紹
廣悅律師事務所成立於2008年,是一家立足大灣區,堅持一體化管理的涉外綜合性律師事務所。發展至今,廣悅建立了由上百位律師及其他法律服務人員組成的專業團隊,打造了多元化的業務體系,可以為客戶提供高品質、全方位、一站式的法律服務。秉承“立足灣區、協同港澳、面向世界”的發展戰略,廣悅已擁有廣州、中國香港、深圳,以及泰國曼穀、美國洛杉磯、澳大利亞悉尼、日本東京、意大利米蘭八個辦公室,客戶遍及境內外多個國家和地區。
供稿丨廣悅米蘭辦公室
編輯丨吳寶渲
審核丨蘇 冰
審定丨品牌宣傳與市場拓展委
