Visa’s Data Breach of ISX Customer Data, page-150

Well from ISX's perspective, it is likely a breach and I'll explain why to you.

The test is: who is the data controller i.e. who is responsible for the protection of the data?

Going by ISX's judgment, ISX is the data controller as per the GDPR. I don't know the specifics of the data and I'm not a GDPR expert but at least I know the data cannot be shared by Visa EU just because Visa EU has access to it.

A valid question would be why wasn't this data requested from ISX by ASIC? Afterall ISX owns this data and would cooperate with ASIC. ASIC obviously has the power to request the data from ISX, so how this data was moved around indicates to me the data was likely not requested from ISX. ISX has very serious concerns with ASX's ability to protect data and will not release this data to the ASX since part of the regulation highlights the need to only share data when assured the data will be protected. But ASIC? ISX would have.

ISX only has a contractual relationship with Visa EU, so from ISX's point of view, Visa EU and Visa AU are separate entities. Plain and simple. I don't believe the argument some seem to be putting on that as it's all Visa, it's all good is correct. If that were the case, Visa AU should have access to the data and there shouldn't have been a need to 'manually' aka sneakily IMO transfer the data in the first place.

In a different sense, ISX and Visa EU could qualify as joint controllers. But even then it's a joint responsibility in protecting and taking decisions on the disclosure of the data, not just Visa EU's. In the worst-case, Visa EU should have informed ISX of the request and should have discussed the next action jointly with ISX before the actual transfer. In the best case, it should not have handed out the data and simply indicated to ASIC the data is owned by ISX, and request ASIC to source the data from ISX.

So, you see, Visa EU can't merely adviseISX it has manually transferred the data from Visa Europe to Visa Australia as you stated and your group here hopes that's the end of the story. It's more serious than that.

In any case, there would be all sorts of legal arguments coming up as there are usually overlaps or conflicts in these regulations (payday for the lawyers) so it's a bit too early for definite conclusions.

What I care about at this point is that sneaky actions being taken behind the scenes are being exposed, and hopefully, there will be some publicity that exposes the ASX's double standard. I'm fairly certain ASX knew this wasn't straightforward (I recollect someone posted the ASX lawyer said something to that effect in court).

ISX being suspended by Visa is of such importance that it should have been disclosed but sharing of their customers' data without their consent isn't important? Jeez