On 13 July 2026, Lidl told online-shop customers in Germany, Belgium and the Netherlands that a data breach had occurred at one of its third-party IT service providers, exposing names, phone numbers, email addresses, dates of birth and customer numbers. Under the GDPR the data controller — the brand — still owns the 72-hour notification, not the processor. This is the 2026 vendor incident response playbook for that exact hour, oriented to European operators and to buyers of BPO and outsourced IT.
Per BleepingComputer, Help Net Security, SecurityAffairs and SC Media, Lidl told online-shop customers in Germany, Belgium and the Netherlands on 13 July 2026 that a data breach had occurred at one of its third-party IT service providers. The exposed data included names, phone numbers, email addresses, dates of birth and customer numbers. Lidl said passwords, postal addresses, banking or payment details and customer accounts were not affected. Lidl filed a criminal complaint, mandated external forensic experts and notified data protection authorities in the three countries. The name of the third-party provider and the total number of impacted customers have not been made public.
The data controller notifies the authority, not the processor. GDPR Article 33 requires the controller to notify the competent supervisory authority within 72 hours of becoming aware of a personal data breach that presents a risk to individuals. Article 34 requires the controller to communicate the breach to affected data subjects without undue delay when the risk to their rights and freedoms is high. Article 28 requires the processor to notify the controller without undue delay after becoming aware of a personal data breach, so the vendor notification is the input into the 72-hour controller clock — not a substitute for it.
Because the GDPR 72-hour clock starts when the controller becomes aware of the breach, and every hour the processor takes to notify is an hour subtracted from the controller\u2019s legal window to triage, engage DPO, legal, communications and customer service, notify the authority, and prepare the customer notification. Vendor notification SLAs measured in days are not fit for purpose. The recommended standard is 24 hours as an upper bound and 6 to 12 hours for critical processors, with a defined evidence package (nature of breach, categories and approximate number of individuals concerned, likely consequences, measures taken) and a forensic cooperation clause.
One, inventory suppliers by categories of personal data processed rather than by contract value. Two, contract notification in hours with a defined evidence package and audit rights. Three, run a joint incident response exercise at least once a year with each critical processor. Four, prepare notification templates for customers and for authorities, pre-validated by legal counsel and pre-translated into each market language. Five, maintain contracted multilingual customer service surge capacity and anti-phishing scripts. Six, enforce nominal named accounts, MFA phishing-resistant, least privilege, credential rotation and segmentation on vendor access. Seven, run table-top exercises and report detection-to-notification metrics to the audit committee.
At a minimum: nominal named accounts rather than shared logins on every buyer system; full session logging aligned to the buyer\u2019s regulatory posture; MFA phishing-resistant on all account access and on the vendor\u2019s own identity provider; a zero-data-on-local-endpoint posture (VDI or browser isolation with clipboard, download and screen capture disabled); a VPN with a kill-switch enforced at the network layer for remote agents; a documented posture aligned with CNDP Law 09-08 in Morocco and with the GDPR; a signed Data Processing Agreement referencing Article 28 obligations and controller cooperation on Article 33 timelines; declared sub-processors with the same audit and notification obligations flowed down.
Call IT Dev operates multilingual customer support and technical support from Morocco with delivery depth in English, French, Spanish, Arabic and German across EU time zones, and can contractually stand up a post-incident surge team for a defined window with anti-phishing scripts, verification protocols and dedicated hotline capacity. Combined with 24/7 SIEM and EDR monitoring and managed detection and response on the technical side, the same partner can cover both the technical response and the customer-facing response of the vendor breach playbook, from a CNDP Law 09-08 and GDPR-aligned footprint.
CALL IT DEV — Software, AI and dedicated tech teams — Casablanca | Madrid | Dubai — contact@callitdev.com — +212-537-373777