In May 2020, the DPC received a breach notification from an Irish data processor and subsequently a notification from an Irish data controller operating in the voluntary sector who had engaged this processor to provide webhosting and data management services.

The breach related to a ransomware attack that occurred in the data centre utilised by the data processor, and which was the result of malware gaining access via a Remote Desktop Protocol (RDP) 1 port to the server .

The DPC engaged with both the controller and processor and through a number of communications — including the issuing of technical and organisational question- naires focusing on areas of potential non-compliance with data protection regulation . These areas included the processor’s use of a data centre within the US to store back-up data without adequate agreements and sufficient oversight by the controller over its processor as required under Article 28 of the GDPR . The DPC engaged intensively with both parties and the DPC concluded this case by issuing recommendations to both controller and processor . Thereafter the DPC continued to engage with both parties to ensure that implementation of the DPC recommendations had occurred .