I am the sole proprietor of a US company (data controller) providing freelance translation services to customers in a few EU States.
I was informed by a GDPR representative company that I needn't appoint a representative.
However, as I understand it, if there is a breach involving the data of a data subject located in the EU, I must contact the supervisory authority. Must I contact the authority only in the state where the breach occured, or do I have to contact every member state in which I operate?
You may contact the German Supervisory Authority where the data subjects were located. Article 60 GDPR established a cooperation mechanism between Supervisory Authorities that help to assess similar situations and there is mutual recognition of the validity of decisions. Therefore, if a data breach occurs you can notify only one Supervisory Authority (i.e., in Germany).
Here you can find more information about Supervisory Authorities: