Could you help me understand who is responsible for a data breach if there are more than one controller?
Example Scenario:
- Company A and B have a joint controller or data sharing agreement (controller to controller). User to provide similar customer services, CRM, email, billing etc.
- Company A collects customer information and shares it with Company B.
- Company B subsequently suffers a data breach exposing the shared data.
Who is responsible for this breach Company A or B?
If required who reports the breach to the customers/commissioner?
Assign topic to the user
According to article 26 of GDPR, the joint controllers must “determine their respective responsibilities for compliance with the obligations under this Regulation […] by means of an arrangement between them […] The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects”. So, since you mentioned that joint controllers A and B have such an agreement, the agreement should include each controller’s responsibilities related to each phase of personal data processing. If Company B suffered a data breach, then company B should be held accountable, but it depends a lot on what is exactly written in the data sharing agreement related to responsibilities, who is doing the reporting to the relevant data protection authority, and of course to what was communicated to the data subjects, as requested by Art 26 GDPR: “The essence of the arrangement shall be made available to the data subject.”.
Please check these links:
- Article 26 – Joint controllers: https://advisera.com/gdpr/joint-controllers/
- Article 24 – Responsibility of the controller: https://advisera.com/gdpr/responsibility-of-the-controller/
- Key roles defined in EU GDPR: https://advisera.com/articles/key-roles-defined-in-eu-gdpr/
- Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/articles/implementing-3-main-accountability-principles-under-the-eu-gdpr/
Comment as guest or Sign in
Jan 12, 2023