Within What Timeframe Must a Processor Notify the Controller of a Personal Data Breach?
ANSWER
The SCCs do not specify a precise timeframe within which a processor must notify the controller of a personal data breach when the breach concerns data processed by the processor.
Clause 9.2 of the SCCs states that such notification must be made "without undue delay." Therefore, it is up to the parties to determine the specific timeframe, taking into account the particular circumstances of the processing activities.
The above answer is based on an official document of the European Commission.
You can review it at: https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf
A translated version of this document is also available on our blog under the title: "Standard Contractual Clauses (SCCs) – Questions and Answers".


