Global Data Breaches Exposed in Outsourcing Chain as Concentrix Fails to Provide Accountability

Lisbon, Portugal - Cambridge Samuel, an independent whistleblower advocacy platform, today publicly discloses documented global personal data breaches across a multinational outsourcing chain, and highlights the continued failure of Concentrix Corporation (NASDAQ: CNXC) to provide accountability and transparency following regulatory notice - including non-compliance with a lawful Article 15 GDPR data subject access request submitted by a protected whistleblower.

The access request was submitted on 7 May 2025 to Concentrix's Data Protection Office and Global DPO and sought full disclosure of all personal data processed in relation to the whistleblower's engagement, including processing records, access logs, international transfers, Data Protection Impact Assessments (DPIAs), and breach notifications. More than eight months have elapsed without any substantive response, far exceeding the one-month deadline under Article 12(3) GDPR (extendable to three months only with reasoned justification, none of which was provided).

Prior regulatory awareness (May 2025)

This disclosure explicitly links back to a whistleblower complaint submitted on 4 May 2025 to the CNPD, the European Data Protection Board (EDPB), and the Portuguese labour authority (ACT). That complaint concerned systemic GDPR and global data-protection violations involving Google, Teleperformance (including Majorel), Cognizant and Concentrix, supported by extensive documentary evidence - including over 3,100 Buganizer emails and multiple internal YouTube and Waze documents - already in the possession of EU supervisory authorities since May 2025.

The present disclosure introduces no new allegations. It connects prior regulatory awareness to subsequent and continuing failures of governance, accountability, and remediation.

Key timeline

7 May 2025 - Article 15 GDPR request submitted

13 January 2026 - First reminder

15 January 2026 - Second reminder and identity verification

15 January 2026 - Escalation via IntegrityCounts whistleblower channel

23 January 2026 - Final deadline communicated

Audit Committee and outside counsel escalation

On 15 January 2026, the matter was formally escalated through Concentrix's whistleblower channel (IntegrityCounts) to the Audit Committee and outside counsel:

-Teh-Chien Chou - Chair, Audit Committee

-Allison M. Leopold Tilley - Outside Counsel, Pillsbury Winthrop Shaw Pittman LLP

No response has been received from Concentrix to date, either following escalation to the Audit Committee and outside counsel or in response to requests for comment made in advance of publication.

Scope and substance of the breaches

Internal documentation indicates that Concentrix agents handled third-party creator and user data in Buganizer tickets and email correspondence across at least ten jurisdictions, including the United States, South Korea, the Philippines, Vietnam, Indonesia, Thailand, India, Portugal, Greece and the United Kingdom.

Thousands of emails containing personal data and account-level information were disclosed to a whistleblower who had no operational role, authorisation or lawful basis to receive such data. These disclosures were not initiated or disseminated by Cambridge Samuel, but were received by the whistleblower in the course of the underlying events giving rise to the complaint.

Such repeated and large-scale unauthorised disclosures constitute independent violations of Articles 5, 6 and 32 GDPR, and objectively trigger breach-assessment and notification obligations under Articles 33 and 34 GDPR.

Despite prior regulatory notice, no evidence has been provided of breach notifications, DPIAs, remedial actions, or containment measures.

Following whistleblower correspondence, a device retained as potential evidence was remotely restricted by the company. The device has since been preserved offline.

Retaliation and failed silencing attempts

Attempts to silence whistleblowers have failed. An injunction initiated by Teleperformance was dismissed by the competent court. Cease-and-desist letters from Eversheds Sutherland (for Cognizant: Tiago Macaia Martins, Inês Albuquerque e Castro) and J. Vilaca de Fonseca (for Transcom and Roche: Rui Pereira Rocha) have been published in full on cambridgesamuel.com and did not suppress disclosures.

Despite multiple letters sent in March 2025 to Bruno Andrade Santos, Praveenkumar Sundar, Sara Belo Tanoeiro, and directly to Google's Data Protection Officer, Google has provided no response for over ten months, constituting a separate breach of Articles 12 and 15 GDPR.

Call to action

Cambridge Samuel calls on Concentrix, Google, Cognizant, Teleperformance, Foundever, Vivino, Roche, Transcom, and other relevant parties to:

-Provide accountability for documented global data breaches

-Comply fully with outstanding Article 15 GDPR requests

-Enter good-faith negotiations toward an amicable resolution

Absent prompt remediation, further regulatory, legal and public-interest actions may follow, including supervisory complaints, civil litigation, and additional factual disclosures.

Related disclosures

Additional press releases, factual disclosures, and published correspondence concerning the same subject matter and the parties referenced above are available on the Cambridge Samuel website, where ongoing updates are provided as assessments progress (www.cambridgesamuel.com).

Contact

class-action@cambridgesamuel.com

legal@cambridgesamuel.com

public-relations@cambridgesamuel.com

Cambridge Samuel is an independent advocacy platform supporting whistleblowers and data subjects in matters of regulatory compliance, corporate accountability and public-interest disclosures.

Av. da Liberdade 110
1269-046 Lisboa, Portugal
+351 214 00 55 00

Sofia Goncalves / sofia.goncalves@cambridgesamuel.com

Cambridge Samuel is an advocacy platform exploring (collective) legal options for employees facing workplace violations.

This release was published on openPR.