Data breach notification

Answer: Based on the information provided, there could two potential situations that should be considered:

1) if the customers are legal entities (companies) the company would have to notify the affected the legal entities about the personal data breach and not the Supervisory Authority. Usually the requirements for the breach notification (both timing and content of the notification) would be established by the customers and mentioned in a legally binding document (a diligent customer would require the provider to notify all data breaches and not only personal data breaches). The Data Breach Response and Notification Procedure from the EU GDPR Implementation toolkit would provide guidance on how to handle the personal data breach internally: https://advisera.com/eugdpracademy/documentation/data-breach-response-and-notification-procedure/

2) if the customers are natural persons (individuals) then the data breach could be handled also based on the Data Breach Response and Notification Procedure from the EU GDPR Implementation toolkit.

With regards to the assessment of the impact of the personal data breach, if the provider has access to the personal data that was subject to the data breach, the provider should identify the risk for the customers and determine the notification requirements.

However, if the Data Center cannot access the information it is advisable to have a clause in the Terms & Conditions or the contract stating roughly that the customer should not upload any personal data or sensitive information without implementing adequate security measures such as encryption and that the provider would not be responsible for any direct or indirect losses generated by the personal data breach.