Breach Notification

Breach Notification under the GDPR

Articles 33 and 34 of the GDPR establish strict obligations for reporting personal data breaches. A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data (Art. 4(12)).

The notification obligations are among the most time-critical requirements of the GDPR. Without prepared processes and pre-drafted templates, meeting the deadlines is extremely difficult.

Notification to the Supervisory Authority (Art. 33)

When a personal data breach occurs, the controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If notification is made after 72 hours, the controller must provide reasons for the delay.

The only exception: notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. However, you must still document the breach internally, including the facts, effects, and remedial actions taken (Art. 33(5)).

Mandatory Notification Contents

The notification to the supervisory authority must include:

• Nature of the breach: Description including, where possible, the categories and approximate number of data subjects and data records affected
• DPO contact details: Name and contact details of the Data Protection Officer or other contact point
• Likely consequences: Description of the likely consequences of the breach
• Remedial measures: Description of the measures taken or proposed to address the breach and mitigate its adverse effects

If it is not possible to provide all information at once, it may be provided in phases without undue further delay.

Notification to Data Subjects (Art. 34)

When a breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also communicate the breach to the affected data subjects without undue delay. The communication must be in clear, plain language and include:

• The nature of the breach
• The DPO's contact details
• The likely consequences
• The measures taken to address the breach

Exceptions to Data Subject Notification

Notification of data subjects is not required if:

• The controller has implemented appropriate technical measures (e.g. encryption) that render the data unintelligible to unauthorised persons
• The controller has taken subsequent measures that ensure the high risk is no longer likely to materialise
• It would involve disproportionate effort, in which case a public communication or similar measure must be used instead

The 72-Hour Timeline in Practice

The 72-hour clock starts from the moment the controller becomes aware of the breach, not from when it occurred. "Awareness" means having a reasonable degree of certainty that a breach has taken place. A practical timeline looks like this:

• Hour 0: Breach detected or reported internally
• Hour 0-4: Initial assessment: Is this a personal data breach? What is the scope?
• Hour 4-24: Detailed investigation: categories and volume of data affected, root cause analysis, containment measures
• Hour 24-48: Risk assessment: Is there a risk to data subjects? Is there a high risk requiring data subject notification?
• Hour 48-72: Prepare and submit notification to supervisory authority. Prepare data subject notification if required.

Processor Obligations

Processors must notify the controller without undue delay after becoming aware of a personal data breach (Art. 33(2)). This obligation should be reflected in the Data Processing Agreement with specific timeframes (many organisations require notification within 24 hours).

Documentation Requirements

Regardless of whether a breach is reported to the supervisory authority, Art. 33(5) requires the controller to document all breaches, including:

• The facts relating to the breach
• Its effects
• The remedial action taken
• The reasoning if the decision was made not to notify the supervisory authority

This documentation must enable the supervisory authority to verify compliance. Maintain a dedicated breach register as part of your GDPR compliance programme.

Consequences of Non-Compliance

Failure to notify a breach can result in significant fines. Under Art. 83(4)(a), violations of breach notification obligations can lead to fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. In practice, supervisory authorities have imposed substantial fines for late or missing breach notifications.