Data Breach Notification Obligations
What controllers must do when a personal data breach occurs: the 72-hour notification duty to the supervisory authority and the obligation to communicate with affected data subjects under Articles 33 and 34 GDPR.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Typical examples include ransomware attacks, emails accidentally sent with unencrypted attachments, and the theft of an unencrypted laptop.
Notification to the Supervisory Authority
Under Article 33 GDPR, the controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it. Where notification is made after 72 hours, the reasons for the delay must be provided. Notification is not required where the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The notification to the supervisory authority must contain at a minimum: a description of the nature of the breach, the categories and approximate number of data subjects and personal data records concerned, the name and contact details of the data protection officer, a description of the likely consequences of the breach, and a description of the measures taken or proposed to address it.
Communication to Data Subjects
Where the risk reaches a high threshold, the additional communication requirement under Article 34 GDPR is triggered. The controller must then also communicate the breach to the affected data subjects without undue delay, using clear and plain language. Communication to data subjects may be omitted in certain circumstances — for example, where the affected data was rendered unintelligible through appropriate technical measures such as encryption.
Recital 85 GDPR underlines the importance of a rapid response: without timely action, personal data breaches may result in physical, material, or non-material damage to natural persons. Controllers should therefore maintain a documented incident response process covering detection, internal reporting, risk assessment, documentation, and external notification.
Processor Obligations
Data processors are subject to a specific obligation under Article 33(2) GDPR: they must notify the controller of a breach without undue delay — without being bound by the 72-hour deadline, which applies only to the controller's notification to the supervisory authority. All breaches, including those that do not trigger a notification duty, must be documented internally.