Processor must disclose data breach
The ruling concerns a dispute between market researcher Blauw and ICT service provider Nebu. Blauw uses the services of Nebu. A cyber attack took place at Nebu, during which data was stolen. Nebu informed its clients about this (to a limited extent); however, Blauw demanded more information. Thereupon Blauw initiated summary proceedings. Compliance with processor agreement Blauw and Nebu entered into a data processing agreement (DPA). Such an agreement is mandatory under Article 28 AVG when (loosely translated) outsourcing the processing of personal data. Under the DPA, Nebu is obliged to inform Blauw about incidents relating to the processing of personal data. The parties dispute how broadly this instructional right should be interpreted. The court considers that a broad interpretation is obvious, also in view of the purpose of a processing agreement. All instructions must be followed unless they are not reasonably related to those objectives or are plainly unreasonable. Information to be provided The court therefore largely grants the claim for information to be provided.