The e-mail I received seems to contain everything
The administrator as the entity responsible for the security of personal data processing including cooperation with a contractor who provides sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR should verify the contractor not only
If you have not already done so, please let the administrator employee, where the breach occurred, notified the client to whom the whatsapp mobile number list agreement was sent by mistake and the client to whom the agreement was wrongly sent about the incident. With the customer who received the contract containing personal data, you should agree on the method of its return collecting the contract by courier) and ask him not to open the package (unless it has already been opened) and not to copy the data and not to share it with other people.
Ongoing verification of the counterparty
In addition, I recommend that the main victim. the data subject, be notified of the incident as soon as possible. In my experience, it is best Bold Data if the first contact is. Mad by phone (if we have a telephone number). It is primarily a quick way of contact. Which allows for a thorough explanation. During the conversation about what has happen, what it involves. What has already been done and what will be the next steps. Only after that, an e-mail with official information is sent. But people are warn that they will receive a message in the mailbox and are no longer surprised.