In cases where the processor has to respond to a data subject they must do so without undue delay. Meaning that even though a time limit has been set of 30 days for instance, you still may not unnecessarily take your time responding to the data subject.
As a controller to a data subject
As a processor to a controller
Once a data breach has been discovered by the processor, the processor should inform the controller without undue delay. Often times you’ll see in processing agreements that the processor has 72 hrs to inform the controller. But why accept that?! Yes, they might not have all the information that is helpful to you as a controller but you’d need to be able to take action if needed or at a minimum scramble some employees together to roll out a contingency plan or mitigation plan or other precautions. And since you are the controller YOU decide. So, my advice to you is to make sure that the processor only has 24hrs to inform you after they become aware. The faster you know about a breach the lesser the impact on data subjects are if the information is out there for the grabbing. Also, as seen above, they need to be able to take necessary precautions (such as password change, etc). Fine: approximately € 525.000,-
As a controller to a Data Authority
Notification of a personal data breach to the supervisory authority withing 72 hours after becoming aware. This does not mean you need to have ALL the answers. You need to inform them. And having a good risk management will help you assess whether the impact on data subjects is high or not. Giving that information at a minimum will help the Data Authority know what steps to take. You’ll have more time to get your things in order (without undue delay of course!), but you must at least inform them within 72 hrs of becoming aware. Fine: approximately € 525.000,-