With the customer who received the contract containing personal data, you should agree on the method of its return. collecting the contract by courier) and ask him not to open the package (unless it has already been opened) and not to copy the data and not to share it with other people . In addition, I recommend that the main victim, i.e. the data subject, be notified of the incident as soon as possible.
For the controller to manage the process
In my experience, it is best if the first contact is made by phone (if we have a telephone number). It is primarily a quick way of whatsapp mobile number list contact, which allows for a thorough explanation during the conversation about what has happened, what it involves, what has already been done and what will be the next steps. Only after that, an e-mail with official information is sent, but people are warned that they will receive a message in the mailbox and are no longer surprised.
Agreements may make it easier
Providing information in a way that demonstrat. That it has been done is essential for the accountability principle, and email is a good Bulk Lead tool. Of course, if the breach affect. A large group of people, calling would be rather impossible. I independently prepar the content. Of the information that will be sent to the person. Whose data has been breached (in accordance with the requirements. Set out in Article 34 of the GDPR) and to the person to. Whom the data has been transferr and I am asking the administrator’s employees to send it today.