Could you help me understand who is responsible for a data breach if there are more than one controller?
- Company A and B have a joint controller or data sharing agreement (controller to controller). User to provide similar customer services, CRM, email, billing etc.
- Company A collects customer information and shares it with Company B.
- Company B subsequently suffers a data breach exposing the shared data.
Who is responsible for this breach Company A or B?
If required who reports the breach to the customers/commissioner?