vendor-breach-cascade
Vendor Breach Notification Cascade
Overview
GDPR Article 33(2) requires that a processor notify the controller "without undue delay after becoming aware of a personal data breach." This obligation creates a notification cascade: the processor must notify the controller promptly, enabling the controller to assess and notify the supervisory authority within 72 hours per Article 33(1), and to notify affected data subjects per Article 34 where there is a high risk to their rights and freedoms.
The EDPB Guidelines 9/2022 on personal data breach notification emphasize that "without undue delay" for processor-to-controller notification should be interpreted strictly — the processor should notify as soon as it has established that a breach has occurred, even if full details are not yet available. DPA-specific timeframes (e.g., 24 hours) may be contractually imposed.
At Summit Cloud Partners, the Vendor Breach Notification Cascade Protocol ensures rapid, coordinated response when a vendor reports a personal data breach.