In the event of a data breach, the controller has to evaluate the potential risk for the data subjects involved as well as assess the necessity of a report to the data protection authority. The decision on whether to notify the authority has to be taken by the controller – regardless of whether the data breach occurs with the controller or with a processor. In the event of a privacy incident, the controller should act according to a predefined process/response plan for dealing with data breaches.
Processors, who process personal data on behalf of the controller have their own obligations in the event of a data breach. As of Art. 33 para. 2 GDPR, the processor is obliged to notify the controller of any violation of the protection of personal data occurred. In this case, it is an obligation to inform the controller and not to report the data breach to the authority. According to Art. 33 para. 2 GDPR each noted privacy accident (as of Art. 4 No. 12 GDPR) has to be reported to the controller.
In case of a data breach the processor is not obliged to assess the potential risk to the rights and freedom of data subjects. This task remains with the controller as well as the decision on the necessity of reporting the incident to the data protection authority. The processor is often simply not able to assess the potential risk in each individual case since he lacks the necessary information for such a decision. Therefore, all noted privacy accidents has to be reported to the data controller, including those where the risk to the data subject is reasonably low. For example, the loss of an encrypted hard disk would also have to be reported to the controller even if the hard disk had been encrypted according to current technical standards and thus the potential risk for the data subjects involved is low.
In contrast to the more extensive reporting obligation of the data controller to the authority, the processor only has to present the indications of the privacy incident. In this case, there is no obligation for the processor to assess the potential consequences of the data breach.
The processor has the obligation to immediately inform the controller of the privacy incident occurred. There is no deadline for the fulfilment of the information obligation, i.e. even if not all relevant information on the incident is known, the report should be made timely so that the further potential report to the authority by the controller is not delayed. The missing information may be submitted at a later stage, if needed.
In practice, despite the clear legal requirements, processors often refrain from reporting of a privacy accident to the controller. The processors may mistakenly believe that they can decide themselves whenever to report the data breach or not. More likely though they assume that the report may have a negative impact on the trustworthy working relationship with the controller.