Twitter fined – the 72h notification period for data protection breaches under Art. 33 GDPR knows no holidays (Part 2 of 3)

Company holidays or staff shortage – every company is familiar with these when holidays or school breaks are just around the corner. The final tasks are quickly completed, and temporary replacement plans are drawn up, to who must take over what in case of an emergency. However, data protection is often forgotten. This has now also become Twitter's undoing. In a three-part series of articles, our data protection officer and company lawyer, Corinna, examines the specifics of the notification deadlines for data protection violations.

In Part 1, on the occasion of Twitter's data breach, we dealt with the notification obligations of the controller vis-à-vis the supervisory authority, Art. 33(1) GDPR. In this second part, we will focus on the notification obligations of processors.

Three-part series of articles

To give you an idea of what is important with regard to the notification obligation under Art. 33 of the GDPR, we have summarised this for you in 3 parts. In Part 1, we explain the obligation of the controller to notify data protection breaches to the supervisory authority pursuant to Art. 33(1) of the GDPR, in Part 2, we address the question of whom the processor must notify of data protection breaches, and in Part 3, we finally address the obligation of the controller to notify data protection breaches to the data subjects pursuant to Art. 34 of the GDPR.

The controller must report data protection breaches of which it becomes aware to the competent supervisory authority. Well, what is the case if the controller uses you as a processor? Do you then have to report data protection breaches that originate from your area as a processor to the supervisory authority, or does the controller have to do this?

The question can basically be answered by looking at the GDPR. According to Art. 33 (2) of the GDPR, you must report data protection violations to the controller if you become aware of them. Therefore, there is no legal obligation for you to notify the supervisory authorities. This obligation to report to the controller results from the fact that you, as a processor, act as a quasi "extended arm" of the controller and carry out its outsourced activities. However, the controller remains responsible for the processing of the personal data.

Therefore, if you become aware of a data breach, you must notify it to the controller without undue delay, Art. 33(2) GDPR.  As with the controller, the obligation is linked to "becoming aware". As a processor, you must notify the controller of a data breach if there is a high probability of a data breach based on sufficient indications. You may not wait until you have finally positively identified a data breach, but you must notify the controller of every data breach or every possible data breach. You must provide the information to the controller without undue delay. After receiving the information from you, the controller will check whether a data breach has actually occurred, what risk, if any, exists for the data subjects and whether notification to the supervisory authority is necessary. The controller must, therefore, again observe the requirements of Art. 33 (1) of the GDPR.

It is questionable in which form and with which content you have to provide the information to the controller. Art. 33 (2) of the GDPR does not contain any information in this regard. With regard to the content of the notifications, however, you can be guided by Art. 33 (3) GDPR, which applies to the controller in principle. Of course, you can consult with the controller, preferably before a possible data breach, on how you should communicate the information.

Art. 33 (2) of the GDPR does not contain any requirements regarding the form of the notification. However, Art. 28 (3f) of the GDPR stipulates that the minimum content of a processing contract should be that the processor supports the controller in its obligations pursuant to Articles 32 - 36 of the GDPR and thus also in the notification obligation to the supervisory authority, to the extent possible. You should therefore regulate in a processing contract with the controller how a notification within the meaning of Art. 33 (2) of the GDPR is to be made to the controller, to whom it is to be addressed and with what content.

In addition, you are free to agree with the controller that you will also report to the supervisory authority on the controller's behalf in parallel with the report to the controller. However, the controller's notification obligations pursuant to Art. 33 of the GDPR then apply to you vis-à-vis the supervisory authority. However, the controller must note that they must accept responsibility for a delayed notification to the supervisory authority by you, for example. However, you may then face the consequences in your internal relationship with the controller.

Therefore, pay attention to what is regulated in the order processing agreement with regard to the obligation to notify data protection violations pursuant to Art. 33 (2) of the GDPR, as it is quite possible that the contractual regulations deviate from the legal regulation in Art. 33 (2) of the GDPR.