Article 33 of the GDPR requires that a controller notify its competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it, if the breach is likely to result in a risk to the rights and freedoms of natural persons. The 72-hour window is one of the most operationally demanding compliance requirements in the GDPR, because it begins at the moment the organisation becomes aware of the breach, not when the breach occurred, and it requires a notification that, while it can be staged if full information is not yet available, must contain specific prescribed information from the outset.
A personal data breach is defined in Article 4(12) as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This covers a wide range of incidents: a ransomware attack that encrypts personal data, a phishing attack through which credentials are stolen and used to access personal data, an email sent to the wrong recipient containing personal data, a laptop or USB drive containing personal data that is lost or stolen, a database misconfiguration that exposes personal data to the internet, and a deliberate insider exfiltration of personal data. It does not require that data has been exfiltrated or misused; unauthorised access to or unavailability of personal data is sufficient.
Not every personal data breach requires notification to the supervisory authority. Notification is required where the breach is likely to result in a risk to the rights and freedoms of natural persons. A breach that is unlikely to result in any risk (for example, an accidental deletion of encrypted data for which a backup exists) does not require supervisory authority notification, but must still be documented in the organisation's internal breach register under Article 33(5).
Where the breach is likely to result in a high risk to the rights and freedoms of natural persons (a higher threshold) Article 34 additionally requires direct notification to the affected individuals without undue delay. High risk is assessed by reference to the nature of the data involved, the scale of the breach, the likelihood that the data will be misused, and the vulnerability of the affected individuals. Breaches involving financial data, health data, identity documents, passwords, or biometric data are most likely to meet the high-risk threshold requiring individual notification.
Article 33(3) specifies the content of the supervisory authority notification: a description of the nature of the breach including the categories and approximate number of data subjects concerned and records involved; the name and contact details of the DPO or other contact point; a description of the likely consequences of the breach; and a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
Where this information is not all available within 72 hours (which is common in the early stages of a security incident) the GDPR permits phased notification: an initial notification within 72 hours containing the information available at that time, followed by supplementary notifications as further information becomes available. The initial notification must not be deferred because the investigation is incomplete: the obligation to notify within 72 hours stands regardless of whether the full picture is known.
Organisations that lack a documented incident response plan and a clear notification protocol are at significant disadvantage when a breach occurs. The 72-hour window is extremely short when an organisation is simultaneously managing a security incident, assessing the scope of affected data, engaging forensic experts, and trying to document the information required for the regulatory notification. Best practice is to have a defined escalation path from operational staff to the DPO and senior management, a documented breach assessment protocol identifying who is responsible for the risk assessment, template notification forms pre-populated with the organisation's DPO contact details and processor information, and pre-established contact details for the competent supervisory authority.
The clock starts when the controller becomes aware of the breach. The EDPB's guidance clarifies that a controller becomes aware when it has a reasonable degree of certainty that a security incident has occurred that has led to the compromise of personal data. This does not require certainty about the full scope of the breach; awareness of the incident itself is sufficient to start the clock. Controllers cannot avoid the notification deadline by deliberately not investigating an incident they have reason to suspect: wilful blindness does not defer awareness. Internal escalation delays also do not defer the start of the clock. If a front-line employee becomes aware of a breach, the organisation is aware for GDPR purposes once the employee has knowledge, even if management has not yet been informed.
No. Individual notification is required only where the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, a higher threshold than the risk threshold that triggers supervisory authority notification. Where a risk to individuals is assessed as low or medium rather than high, supervisory authority notification may still be required but individual notification is not. The assessment of high risk is made on a case-by-case basis considering the nature of the data, the scale, the likely consequences, and the vulnerability of the affected individuals. Documenting this assessment is essential: organisations that fail to notify individuals of high-risk breaches face regulatory scrutiny both for the underlying breach and for the notification failure.
Where a personal data breach occurs at a processor, Article 33(2) requires the processor to notify the controller without undue delay after becoming aware of the breach. The controller then bears the primary responsibility for assessing the breach and notifying the supervisory authority within 72 hours of its own awareness (which begins when the processor notifies the controller). Processor contracts under Article 28 GDPR must include obligations for processors to notify the controller of breaches promptly and to provide the information the controller needs to make the regulatory notification. Controllers that do not have adequate processor breach notification provisions in their data processing agreements are at risk of missing the 72-hour deadline because they learn of the breach too late.
Not necessarily. A phishing attempt that was detected and blocked before any credentials were compromised or any personal data was accessed is not a personal data breach, as there was no breach of security that led to a compromise of personal data. However, a successful phishing attack in which the attacker obtained valid credentials and used them to access personal data systems is a breach, even if no data appears to have been exfiltrated. Access to personal data by an unauthorised party is itself a personal data breach within Article 4(12), regardless of what the attacker subsequently did with the access.
%402x.svg){kind=icon}
%402x.svg){kind=small}
%402x.svg){kind=icon}
