Breach notification
Our commitment
Where Imageplus becomes aware of a personal data breach affecting personal data processed on behalf of a client, we notify the client without undue delay in accordance with GDPR Article 33(2).
What we notify
The notification includes, to the extent available at the time:
- The nature of the breach
- The categories and approximate number of data subjects affected
- The categories and approximate number of personal data records affected
- The likely consequences of the breach
- The measures taken or proposed to address it
Where complete information is not available at the time of initial notification, we provide further information as it becomes available.
Engagement-specific timelines
Specific notification timelines may be agreed in writing in the applicable SLA or engagement documentation. Where such timelines are agreed, they prevail over the standard commitment above.
Controller responsibilities
The client, as data controller, remains solely responsible for notifying the competent supervisory authority and affected data subjects in accordance with GDPR Articles 33 and 34. Imageplus assists with information and documentation to support that process.