@gsuberland @glyph @foone The entity that was the data controller at the time of the breach is responsible for reporting it. If the company has been liquidated, the liquidator or administrator may need to handle this obligation (GDPR wise)