The ICO has been made aware of a data breach involving a company called Typeform that has affected a number of organisations who use their services. We are making enquiries, including liaising with our partners in the UK and overseas.

Controllers have an obligation to report data security breaches to the ICO unless there is unlikely to be a risk to individuals.

If your organisation has been affected by the Typeform incident and you have enough information to establish that there may be a risk to your customers, you should report the breach to the ICO. If we need further information we will be in contact with you.

You should consider how your customers may be affected by the breach. If you think there is a high risk to their rights and freedoms, you need to tell them about the breach without delay. You should tell them about any steps you are taking to mitigate the effects of the breach and provide them with advice on what to do to protect themselves.

Please copy and paste the table in the document below into a blank email, add your response and send your email to casework@ico.org.uk.

You should include ‘Typeform breach notification’ in the subject line of the email, along with your company name.