Data breach notification obligations in commercial contracts

When negotiating and drafting contracts with partner organisations or entities, an entity should ensure it adequately negotiates and drafts data breach notification obligations. One important consideration is determining which entity will notify the Privacy Commissioner and affected individuals in the event an eligible data breach occurs to multiple entities.

Entities should ensure that all personnel adequately understand any contractual obligations that may arise from commercial contracts if a data breach occurs.