Question: Do Service Providers Have To Notify Their Clients About ‘Suspected’ Breaches?

Answer:  Most likely.

The GDPR requires a processor to notify a controller if it becomes aware of a breach of personal data it is processing on behalf of the controller. A company becomes aware of a breach when it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. While a “suspected” breach may not rise to a “reasonable degree of certainty,” it is important to remember that the relationship between a controller and a processor is required to be governed by contract or other legal act under the GDPR. The governing legal document may provide for a stricter notification requirement, including notification if the processor even merely “suspects” a breach has occurred.

Under the GDPR, the processor must notify the controller “without undue delay.” The Article 29 Working Party – an independent advisory body to the European Commission on data protection matters – recommends that the processor “promptly notifies,” with further information to be provided in phases as the investigation unfolds.¹ This will help the controller comply with its obligation to notify the supervisory authority. The processor can make the notification on behalf of the controller if the parties agree, but the legal responsibility for notification to the supervisory authority and individuals remains with the controller.

1. Article 29 Data Protection Working Party, WP250: Guidelines on Personal Data Breach Notification Under Regulation 2016/679 rev. 01 at 13 (Feb. 6, 2018)

[View source.]