Q: Assuming the leaked data involve EU citizen’s data information, may I ask if Cathy Pacific required to report to any of the European Data Protection offices? Also, if they fail to do so, do it constitutes a potential violation of GDPR?

Concerning GDPR applicability, when a company is not established in the EU, the GDPR applies when this company offers services to data subjects in the EU. So if the airline based in Hong Kong offers services to data subjects in the EU, the GDPR will apply.

The obligation under the GDPR is to notify a data breach to the supervisory authority when it represents a risk for the rights and freedoms of the individuals. In addition, the GDPR requires the communication of the data breach to the individuals affected if it represents a high risk for the individuals. Regarding the notification to the supervisory authority, the EDPB is of the opinion that when the company has an establishment in the EU, it can be made to the lead supervisory authority. In case there is no establishment in the EU (as it seems to be the case here), this is typically the supervisory authority of the Member State where the representative in the EU is located. Indeed : “Where a controller not established in the EU is subject to Article 3(2) or Article 3(3) and experiences a breach, it is therefore still bound by the notification obligations under Articles 33 and 34. Article 27 requires a controller (and processor) to designate a representative in the EU where Article 3(2) applies. In such cases, WP29 recommends that notification should be made to the supervisory authority in the Member State where the controller’s representative in the EU is established. Similarly, where a processor is subject to Article 3(2), it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33(2).”

If no representative has been appointed, all national authorities concerned by the data breach need to be notified.

EU data subjects affected by the breach have also the right to file a complaint with their national supervisory, which is then competent to investigate.

Further information on Data Breaches can be found here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052