Introductory note

This precedent provides suggested clause wording for mandatory data breach notification obligations. It is drafted from the perspective of a customer seeking to manage these obligations by its supplier. It is most likely such a clause would appear in a technology services agreement or similar.

Mandatory data breach obligations may be triggered in a number of circumstances where a supplier is hosting, storing or managing customer data. Such data may often be a combination of personal information as well as other data. The obligations relating to mandatory data breach notification only apply in respect of personal information.

We would expect the agreement to separately deal with obligations relating to broader privacy compliance and data security compliance. The clauses below may be incorporated as part of the broader privacy/data security obligations or separately under their own heading.