Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
Guides vendor breach notification cascades per GDPR Article 33(2): processor-to-controller alerts without delay, escalation paths, multi-party response coordination, liability allocation, regulatory notifications. Useful for privacy incident response.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeHow this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-skills-complete:vendor-breach-cascadeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
GDPR Article 33(2) requires that a processor notify the controller "without undue delay after becoming aware of a personal data breach." This obligation creates a notification cascade: the processor must notify the controller promptly, enabling the controller to assess and notify the supervisory authority within 72 hours per Article 33(1), and to notify affected data subjects per Article 34 whe...
Guides vendor breach notification cascades per GDPR Article 33(2): processor-to-controller alerts without delay, escalation paths, multi-party response coordination, liability allocation, regulatory notifications. Useful for privacy incident response.
Executes GDPR Article 33 personal data breach notifications to supervisory authorities within 72 hours, covering risk assessment, deadline calculation with holidays/weekends, required content, and DPO involvement.
Assesses GDPR personal data breach risks for notification obligations under Articles 33/34 using CIA triad classification, sensitivity scoring, volume, identifiability, and EDPB guidelines.
Share bugs, ideas, or general feedback.
GDPR Article 33(2) requires that a processor notify the controller "without undue delay after becoming aware of a personal data breach." This obligation creates a notification cascade: the processor must notify the controller promptly, enabling the controller to assess and notify the supervisory authority within 72 hours per Article 33(1), and to notify affected data subjects per Article 34 where there is a high risk to their rights and freedoms.
The EDPB Guidelines 9/2022 on personal data breach notification emphasize that "without undue delay" for processor-to-controller notification should be interpreted strictly — the processor should notify as soon as it has established that a breach has occurred, even if full details are not yet available. DPA-specific timeframes (e.g., 24 hours) may be contractually imposed.
At Summit Cloud Partners, the Vendor Breach Notification Cascade Protocol ensures rapid, coordinated response when a vendor reports a personal data breach.
BREACH OCCURS AT VENDOR (PROCESSOR)
│
├─► T+0: Vendor detects breach
│
├─► T+[DPA timeframe]: Vendor notifies Summit Cloud Partners
│ (DPA standard: within 24 hours of becoming aware)
│ Required content per DPA:
│ ├─ Nature of the breach
│ ├─ Categories and approximate number of data subjects
│ ├─ Categories and approximate number of records
│ ├─ DPO/contact point name and details
│ ├─ Description of likely consequences
│ └─ Measures taken or proposed
│
├─► T+0 to T+72h (from controller awareness): Summit Cloud Partners
│ assesses and decides on supervisory authority notification
│ (Article 33(1): within 72 hours, unless unlikely to result
│ in risk to data subjects)
│
├─► If high risk to data subjects: Summit Cloud Partners notifies
│ affected data subjects per Article 34
│
└─► If sub-processors involved: Vendor ensures sub-processor
cascade notification (sub-processor → processor → controller)
| Notification | GDPR Requirement | Summit Cloud Partners DPA Standard |
|---|---|---|
| Processor → Controller | "Without undue delay" (Art. 33(2)) | Within 24 hours of becoming aware |
| Controller → Supervisory Authority | Within 72 hours (Art. 33(1)) | Within 72 hours |
| Controller → Data Subjects | "Without undue delay" (Art. 34(1)) | As soon as practicable after SA notification |
| Sub-processor → Processor | Per sub-processor DPA | Within 12 hours of becoming aware |
Upon receiving breach notification from vendor:
| Step | Action | Responsible | Timeframe |
|---|---|---|---|
| 1.1 | Log notification in breach register | Privacy Team on-call | Immediate |
| 1.2 | Verify notification came from authorized vendor contact | Privacy Team | 15 minutes |
| 1.3 | Acknowledge receipt to vendor | Privacy Team | 30 minutes |
| 1.4 | Alert Summit Cloud Partners Breach Response Team | Privacy Team | 30 minutes |
| 1.5 | Classify initial severity | Breach Response Team Lead | 1 hour |
| 1.6 | Activate appropriate response level | Breach Response Team Lead | 1 hour |
Severity Classification:
| Level | Criteria | Response Level |
|---|---|---|
| Critical | Special category data exposed; > 10,000 data subjects; criminal access confirmed | Full incident response — all hands |
| High | Sensitive data exposed; 1,000-10,000 data subjects; active threat | Expanded response team |
| Medium | Standard personal data exposed; < 1,000 data subjects; contained | Core response team |
| Low | Limited exposure; pseudonymized data; no evidence of access | Privacy Team + InfoSec lead |
| Step | Action | Responsible |
|---|---|---|
| 2.1 | Request detailed incident report from vendor | Privacy Team |
| 2.2 | Identify affected Summit Cloud Partners data and data subjects | Privacy Team + IT |
| 2.3 | Assess whether breach is "likely to result in a risk" (Art. 33(1) threshold) | DPO |
| 2.4 | Assess whether breach results in "high risk" (Art. 34(1) threshold) | DPO |
| 2.5 | Coordinate with vendor on containment confirmation | InfoSec Team |
| 2.6 | Determine if other controllers are affected (multi-tenant breach) | Privacy Team |
| 2.7 | Engage legal counsel if liability implications exist | Legal Team |
| 2.8 | Draft preliminary supervisory authority notification (if threshold met) | DPO + Legal |
Vendor Information Requests:
| Information Required | Purpose |
|---|---|
| Root cause analysis (even preliminary) | Understand attack vector and likelihood of ongoing risk |
| Exact data categories compromised | Assess risk to data subjects |
| Exact data subject count or best estimate | Determine notification scope |
| Timeline: when breach occurred, when detected, when contained | Assess detection capability |
| Containment measures implemented | Verify threat neutralized |
| Evidence of data exfiltration (yes/confirmed no/unknown) | Critical for risk assessment |
| Impact on other clients (for multi-tenant breach) | Coordination requirement |
| Forensic investigation status and expected completion | Planning input |
| Decision | Criteria | Action |
|---|---|---|
| Notify SA | Breach likely to result in risk to data subjects | File notification within 72 hours of awareness |
| Do not notify SA | Breach unlikely to result in risk (documented assessment) | Document decision and rationale; retain in breach register |
| Notify in phases | Cannot provide full details within 72 hours | File initial notification within 72 hours; provide updates as available |
Article 33(3) Notification Content:
| Required Element | Description |
|---|---|
| (a) | Nature of the breach including categories and approximate number of data subjects and records |
| (b) | Name and contact details of DPO or other contact point |
| (c) | Likely consequences of the breach |
| (d) | Measures taken or proposed to address the breach and mitigate effects |
Article 34(1) requires notification to data subjects when the breach "is likely to result in a high risk to the rights and freedoms of natural persons."
Exemptions (Article 34(3)):
Notification Content:
| Activity | Responsible | Timeline |
|---|---|---|
| Monitor vendor's ongoing investigation | Privacy Team | Ongoing |
| Request and review vendor's root cause analysis | Privacy Team + InfoSec | Within 30 days |
| Assess vendor's remediation plan | Privacy Team + InfoSec | Within 30 days |
| Verify remediation implementation | InfoSec | Within 60 days |
| Update vendor risk score | Privacy Team | Immediate |
| Evaluate contractual remedies | Legal Team | Within 30 days |
| Conduct lessons-learned review | Breach Response Team | Within 90 days |
The DPA should address breach-related liability:
| Provision | Description |
|---|---|
| Processor indemnification | Processor indemnifies controller for losses caused by processor breach (including fines to the extent legally permissible) |
| Cooperation obligation | Processor must cooperate fully with controller's investigation and regulatory notifications |
| Forensic costs | Allocation of forensic investigation costs |
| Notification costs | Allocation of data subject notification costs |
| Credit monitoring | Allocation of credit monitoring / identity protection costs for affected data subjects |
| Regulatory engagement | Processor must participate in regulatory inquiries |
| Limitation of liability | Carve-out for data protection breaches from general liability caps (where negotiable) |
When a breach at a sub-processor or infrastructure provider affects multiple processors and controllers:
| Role | Responsibilities |
|---|---|
| Sub-processor | Notify all affected processors; provide consistent information |
| Processor (Vendor) | Notify all affected controllers; coordinate information flow |
| Controller (Summit Cloud Partners) | Assess own impact; make own regulatory notification decisions |
| Lead Supervisory Authority | May coordinate cross-border notifications if multiple EU/EEA controllers affected |