The DPC became aware of a breach which had occurred at a data processor when eighteen (18) organisations (data controllers) operating in the charities sector used a data processor based outside of the DPC’s jurisdiction. The organisations provided services largely aimed at supporting vulnerable individuals and are not for profit with many of their personnel working on a volunteer basis. 

The breach occurred when a bad actor gained access to the data processor’s network. The data processor was unable to confirm how long the bad actor may have infiltrated its systems before the discovery of the breach. This resulted in the exfiltration of some data, the deletion of a database that held the data and a ransom note demanding payment. The bad actor made direct contact with the data processor and provided evidence of the exfiltrated data. 

The data processor did not pay the ransom and stated that it had restored its systems from backup. However, the exfiltrated data remained a risk. 

Only eight of the eighteen organisations were able to confirm having an existing Breach Incident Response Plan, which is a plan to respond to data breaches. Many of the data controllers demonstrated a lack of IT experience in any form and did not appear to recognise the extent of their Article 24 GDPR obligations (appropriate technical and organisational methods). 

Most of the organisations had varying degrees of understanding of the personal and special category data which they held and a number were not able to confirm the categories of data held. 

Most of the organisations did not have in place a controller – processor contract pursuant to Article 28(3) GDPR. Instead, these data controllers relied on a Software as a Service Subscription Agreement, which appear to favour the data processor in terms of obligations to respond or provide information related to a security incident. 

A number of the organisations did not conduct a Data Protection Impact Assessment (DPIA) despite the nature of the organisation and the clients for whom they cater. Some organisations stated the inability to perform a DPIA due to the data processor’s refusal to supply information about its systems and the breach. 

The DPC engaged with the Data Protection Authority in the country where the processor was located to gather and share information. The DPC further engaged with the organisations, both from a regulatory and supervisory capacity. The DPC provided a number of recommendations, which emphasised the organisations obligations in the areas of awareness on the categories of personal data they processed pursuant to Article 4(1) and Article 9 GDPR. The DPC also emphasised the importance of vetting any third party they were choosing to engage with prior to permitting the processing of personal data (Article 28(1) GDPR), as well as their obligation to ensuring that a processing agreement is in place setting out clearly the responsibilities of both parties (Article 28(2) GDPR) and is tested regularly.