GDPR Processes for Reporting Data Breaches

Under Article

33 GDPR, a personal data breach must be reported to the competent supervisory authority without undue delay, and no later than

72 hours after becoming aware of it. The notification obligation does not apply if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the deadline is exceeded, the delay must be justified.

Under Article 33(3) GDPR, the notification must contain at minimum: a description of the nature of the breach including the categories and approximate number of affected individuals and data records, the name and contact details of the Data Protection Officer, a description of the likely consequences, and the measures taken or proposed to address and mitigate the effects of the breach.

Under Article

34 GDPR, affected individuals must be notified without undue delay when the breach is likely to result in a high risk to their rights and freedoms. The notification must use clear and plain language. It may be waived if appropriate safeguards such as encryption were in place, or if subsequent measures have eliminated the high risk.

A structured process typically involves: first, detection and internal escalation to the Data Protection Officer. Second, assessment of whether notification is required and the level of risk to affected individuals. Third, timely notification to the supervisory authority with all required information. Fourth, evaluation of whether affected individuals must be informed. Fifth, comprehensive documentation of all facts, impacts, and remedial measures.

A late or omitted notification can result in fines of up to

10 million euros or

2 percent of global annual turnover under Article 83(4) GDPR. If there is a delay, the notification must be accompanied by reasons for the delay. The GDPR allows phased reporting, meaning an initial preliminary notification can be submitted and supplemented later as more information becomes available.

Under Article 33(5) GDPR, the controller must document every data breach, including all facts, effects, and remedial actions taken. This documentation must enable the supervisory authority to verify compliance. Even breaches that do not trigger a notification obligation must be documented to demonstrate that the decision not to report was justified.

Notification to the supervisory authority under Article

33 GDPR is required for any breach posing a risk and includes detailed technical information. Notification to affected individuals under Article

34 GDPR is only triggered when there is a high risk and must communicate the nature of the breach, potential consequences, and protective measures in plain language. The two obligations have different thresholds and audiences.

For cross-border breaches, the lead supervisory authority at the controller's main establishment in the EU must be notified. When individuals in multiple member states are affected, the consistency mechanism applies. Organizations need pre-defined reporting channels and clear responsibilities to meet the 72-hour deadline even for complex, multinational incidents.

Under Article 33(2) GDPR, the processor must notify the controller without undue delay after becoming aware of a data breach. The obligation to notify the supervisory authority remains with the controller. The data processing agreement should specify concrete reporting timelines, contact persons, and the processor's information obligations.

The risk assessment considers the type of data affected, the number of individuals involved, the severity of potential consequences, and whether the data was protected by encryption or other measures. If the assessment concludes there is likely no risk to the rights and freedoms of affected individuals, the notification obligation to the supervisory authority does not apply. The assessment and its outcome must be documented in all cases.