Eraneos maintains a global obligation to report and manage data breaches and security incidents. This page explains what constitutes a data breach, who must report, how to report, and how Eraneos will handle your notification. It applies to all regions in which Eraneos operates and to all suppliers, customers, partners, subcontractors, and other third parties that handle Eraneos data, client data processed by Eraneos, or systems and services connected to Eraneos operations.
Legal context Across many jurisdictions, including the European Union, organisations must notify supervisory authorities of certain personal data breaches without undue delay and, where applicable, within time limits set by law (for example, within 72 hours under the EU GDPR). In some cases, affected individuals must also be informed. Eraneos will determine whether notification to regulators and/or individuals is required in the relevant jurisdictions and will coordinate any such communication.
What is a data breach?
A data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
This includes
- Confidentiality breaches (e.g., sending personal data to the wrong recipient, unauthorised viewing of records)
- Integrity breaches (e.g., unauthorised changes to records)
- Availability breaches (e.g., loss of access due to ransomware or system failure)
- Unlawful processing of personal data may also constitute a breach even if there is no external “leak.” In addition, you must report security incidents that could impact Eraneos services or clients, even if personal data is not yet known to be involved.
Who must report?
All Eraneos relations—suppliers, customers, partners, subcontractors, and other third parties—must promptly report any suspected or confirmed data breach or security incident involving:
- Eraneos data or systems
- Client data processed by Eraneos
- Services or environments connected to Eraneos operations (including third‑party platforms and sub‑processors)
When to report?
Report immediately upon discovery, and no later than 24 hours after you become aware of a suspected or confirmed incident. Early reporting helps Eraneos meet legal deadlines (where applicable) and limit harm.
Contact our Security Officer:
Patrick Ngu
security.erax@eraneos.com
Contact our Data Protection Officer:
Sören Zimmermann
dataprotection.de@eraneos.com