Re: What Exactly Was The Breach ???
Not everything - there is a "legitimate interest" exception.
Nevertheless it raises a number of issues. If, under legitimate interest a data subject's bank passes data to a CRA who then gets breached what are the responsibilities of the bank? If it were they and not the CRA who had been breached then clearly they could expect to be fined under GDPR. But they decided they had a legitimate interest in passing on the data. Should they not still be liable?
The data subject-facing business should remain liable under both civil and criminal law for any breaches further along the line, irrespective of how far the data gets passed. Apart from anything else it's the only way that the likes of Safe Harbour and Privacy Figleaf can be made to work. They should have to make judgements about the reliability of those to whom they pass data. It's not sufficient for data subjects to have to go to law in some other jurisdiction against a company with whom they have had no dealings although that should not preclude action under GDPR against all businesses in the chain.