Blauw Research B.V. – Court Ruling (Netherlands, 2023)

In this decision, Blauw Research B.V., a market research agency (controller) had a processing agreement with NEBU B.V., a software provider (processor). On 10-11 March 2023, the processor suffered a cyber attack by which third parties gained unauthorized access to its servers and data was extracted. The processor informed the controller about it two days after the attack took place. The controller requested more information and the processor confirmed that data (passwords) had been stolen and personal data (stored in cloud databases and surveys) were leaked. After repeatedly requesting information, unsatisfied with the processor's replies, the controller brought the case to the Court of Rotterdam. During the proceeding, the controller explained that it considered that, based on the processing agreement, the processor must provide information regarding security incidents and data breaches at all times. It also argued that the information provided following the cyber attack was not sufficient to meet the requirements set out in the agreement. The processor objected to such claim. As a result, the controller claimed to order the processor to: # provide information about (i) the details of the cyber attack; (ii) how and with what methods the system was recovered after the attack; (iii) an overview of which customers' personal data were leaked; (iv) the perpetrators of the attack; (v) which preventive and reactive technical and organisational measures were taken; (vi) internal reporting within the organization of the processor about the cyber attack that has taken place; # in the future, within 4 hours after new information is available, transfer this information to the controller and send an update on the state of affairs twice a day (at 14:00 and 19:00); # appoint a forensic investigator to find out the root-cause analysis; and # provide all necessary assistance and to answer all controller's questions. In the event of non compliance, the controller claimed a penalty