Data breaches at third parties – when business partners report data breaches


Perhaps this has happened to you: you receive a message that something has gone wrong at your service provider. For example, because there was a cyber-attack and personal data was compromised. Recently, this has happened at several of our clients.

What should you do in such a case? Do you have to act if you receive such a message?

  • Check whether data about your own employees could be affected (such as access data to an online service). If so, inform these colleagues by forwarding the message to them. In this way, employees are aware (e.g., in case of phishing attacks and to increase their own password security, if necessary).
  • Check whether data about your own customers or business partners might have been affected. If the service provider acted as your processor, action is required if the data was exposed to an actual risk.
    Caution: You may also have to report the incident within 72 hours. Gather the facts as quickly as possible and involve your data protection officer at an early stage. We will then clarify the situation together without delay.

No action is required if the service provider was not your processor. If you are unsure, it is best to ask your data protection officer.  

The topic of data breaches is also so sensitive because every incident must be evaluated in terms of data protection law within a very short time. If the incident has created a data protection risk, this must be reported to the data protection supervisory authority. Last year, this happened almost 30,000 times in Germany – and the trend is still rising.

If you receive news that a business partner has had a data breach, quickly review the incident. If they were acting as a processor and your data is also affected, you may also have to file a notification with the supervisory authority yourself.

Related Posts