A personal data breach under GDPR Article 4(12) is not limited to hacking. It covers any security incident that leads to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. An employee emailing a customer spreadsheet to the wrong recipient qualifies, as does a ransomware attack or a misconfigured cloud storage bucket.
What matters under GDPR is not how the breach occurred, but what you do next. Articles 33 and 34 set out two parallel obligations: notify the relevant supervisory authority, and - where the risk to individuals is high enough - notify the affected people directly. Missing either obligation carries fines of up to EUR 10 million or 2% of annual global turnover under Article 83(4).
Article 33: Notifying the Supervisory Authority
Article 33(1) is blunt: when a personal data breach occurs, the data controller must notify the competent supervisory authority without undue delay, and where feasible within 72 hours of becoming aware of the breach. The only exception is where the breach is unlikely to result in any risk to individuals' rights and freedoms - a narrow carve-out that the controller must be able to justify if challenged.
The 72-hour clock starts from awareness, not from when the breach happened. The EDPB's Guidelines 9/2022 define awareness as having a reasonable degree of certainty that personal data has been compromised. If your IT team spots suspicious logs on Monday but confirms exfiltration on Wednesday, the deadline runs from Wednesday.
Weekends and bank holidays count. A breach discovered at 4 p.m. on Friday gives you until 4 p.m. on Monday - not the following Tuesday.
What Your Notification Must Include
Article 33(3) requires four categories of information in every notification to the supervisory authority:
| Required Element | Details |
|---|---|
| Nature of the breach | Categories and approximate number of data subjects and data records affected |
| Contact point | Name and contact details of the Data Protection Officer or other contact |
| Likely consequences | Description of the probable impact on affected individuals |
| Remedial measures | Steps taken or proposed to address the breach and mitigate its effects |
Regulators accept that you will not have a complete picture within 72 hours. Phased notification is explicitly permitted under Article 33(4) - file an initial report with what you know, then supplement it as your investigation develops.
Some organisations delay reporting because they want all the facts first. That instinct is understandable but wrong under GDPR. The regulation prioritises speed over completeness. If you miss the 72-hour window, you must include reasons for the delay with your notification.
Article 34: When You Must Tell Individuals Directly
Article 33 addresses the supervisory authority. Article 34 addresses the people whose data was compromised. The threshold is higher: you must communicate the breach to affected individuals only when it is likely to result in a high risk to their rights and freedoms.
High risk typically means scenarios where the breach could lead to identity theft, financial fraud, discrimination, reputational damage, or loss of confidentiality of data protected by professional secrecy. A breach exposing medical records, login credentials, or financial account details almost certainly crosses this threshold. A misdirected email containing someone's postal address probably does not.
Unlike the authority notification, Article 34 sets no fixed deadline - just "without undue delay." But you cannot sit on a high-risk determination for weeks. Once you conclude the breach poses high risk, the communication must go out promptly.
What to Tell Affected Individuals
Article 34(2) requires clear, plain language - not legal boilerplate. The communication must include the DPO's or contact point's details, a description of the likely consequences, and the measures taken to address the breach. The emphasis on clarity is deliberate: you are writing to customers, patients, or employees, not to lawyers.
A strong notification letter names the breach, explains what data was exposed, describes what you have done to contain it, and tells the individual what steps they can take to protect themselves (changing passwords, monitoring bank statements, freezing credit).
Three Exceptions Under Article 34(3)
Article 34(3) lists three exceptions. You need not notify individuals if: (a) the breached data was encrypted and the key was not compromised; (b) you took immediate steps that eliminated the high risk before it materialised; or (c) individual contact would require disproportionate effort, in which case a public communication must substitute. The supervisory authority can override any of these exceptions under Article 34(4) and order you to notify regardless.
Risk Assessment: The Decision That Drives Everything
Both obligations hinge on a risk assessment. The EDPB's guidelines set out criteria for evaluating risk, and your assessment must be documented under Article 33(5) whether you notify or not.
| Factor | Lower Risk | Higher Risk |
|---|---|---|
| Type of data | Name, email address | Health records, financial data, special category data |
| Volume | Small number of records | Thousands or millions of individuals |
| Identifiability | Pseudonymised or encrypted data | Directly identifiable individuals |
| Vulnerability of subjects | General adult population | Children, patients, employees |
| Likely consequences | Minor inconvenience | Financial loss, discrimination, identity theft |
When in doubt, notify. Supervisory authorities consistently treat over-notification more favourably than under-notification. The Irish DPC received 7,781 valid breach notifications in 2024 alone - an 11% year-on-year increase - and breach notification volumes across the EEA reached a daily average of 443 in 2025, up 22% from the prior year.
The Breach Register: Your Article 33(5) Obligation
Every breach must be documented, regardless of whether it triggers a notification. Article 33(5) requires you to record the facts of the breach, its effects, and the remedial actions taken - in enough detail for the supervisory authority to verify compliance.
In December 2024, the Irish DPC fined Meta Platforms Ireland EUR 251 million for a 2018 Facebook breach affecting 29 million accounts globally. Of that total, EUR 8 million was specifically for submitting an incomplete notification under Article 33(3), and EUR 3 million was for inadequate breach documentation under Article 33(5). The remaining EUR 240 million related to data protection by design failures uncovered during the investigation - failures that only came to light because the DPC scrutinised the breach notification.
A poor notification does not just attract its own fine - it invites deeper regulatory investigation that can uncover far costlier violations.
The Digital Omnibus: Upcoming Changes to Article 33
The European Commission's Digital Omnibus proposal (November 2025) targets three changes to breach notification. The EDPB and EDPS broadly support the direction in their February 2026 joint opinion.
Raised notification threshold - The current rule requires authority notification unless the breach is "unlikely to result in a risk." The proposal would raise this to "likely to result in a high risk," aligning the authority notification threshold with the existing Article 34 threshold for individual notification. This would substantially narrow the pool of notifiable breaches and reduce defensive over-reporting of low-risk incidents.
Extended deadline - The 72-hour reporting window would increase to 96 hours, giving incident response teams an extra day to investigate and file a more complete initial notification.
Single-entry point - A unified reporting portal, operated by ENISA, would allow organisations to file breach notifications under GDPR, NIS2, DORA, and other EU incident reporting regimes through one form. The EDPB would also develop a standardised breach notification template and a common list of high-risk scenarios, reviewed at least every three years.
The proposal must still pass through the European Parliament and Council, with adoption realistically expected around mid-2027. The 72-hour rule and current risk thresholds remain in force until then.
Building a Breach Response Plan
A documented incident response plan is not a GDPR requirement in so many words, but it is the only realistic way to meet the 72-hour deadline. Organisations that improvise their response during a live incident almost always miss the window.
An effective plan covers who receives the initial internal report, the escalation path to the DPO, a risk assessment template aligned with EDPB criteria, pre-drafted notification templates for both the authority and affected individuals, and a breach register format that satisfies Article 33(5).
Test the plan through a tabletop exercise at least annually. The DLA Piper GDPR Fines and Data Breach Survey (January 2026) confirmed that daily breach notifications crossed 400 for the first time in 2025. The question is not whether your organisation will face a breach, but whether you will be ready.
Frequently Asked Questions
Does every data breach have to be reported to the supervisory authority?
No. Article 33(1) exempts breaches that are unlikely to result in a risk to individuals' rights and freedoms. If the data was encrypted and the key was not compromised, for example, you may not need to notify. But you must still document the breach and your risk assessment in your breach register under Article 33(5).
What happens if I miss the 72-hour notification deadline?
You must still notify and include reasons for the delay alongside your report. GDPR recognises that meeting the deadline is not always feasible, but you need a defensible explanation. Failure to notify at all - or unjustified delays - can result in fines of up to EUR 10 million or 2% of global annual turnover.
When do I have to notify affected individuals about a data breach?
Under Article 34, individual notification is required when the breach is likely to result in a high risk to the rights and freedoms of the people affected. This typically applies where the breach involves sensitive personal data, login credentials, or financial information that could lead to identity theft or fraud.
Can I send a phased breach notification to the supervisory authority?
Yes. Article 33(4) explicitly permits phased reporting. You can file an initial notification with the information available within 72 hours, then supplement it with further details as your investigation progresses. Most DPA online forms include a field for marking a notification as incomplete.
Is my data processor responsible for reporting breaches to the DPA?
No. Article 33(2) requires the processor to notify the controller without undue delay, but the obligation to report to the supervisory authority rests with the controller. Your Data Processing Agreement should specify a concrete notification timeframe.
Will the 72-hour breach notification deadline change under the Digital Omnibus?
The European Commission's Digital Omnibus proposal (November 2025) would extend the deadline to 96 hours and raise the notification threshold to high risk only. The EDPB and EDPS broadly support these changes, but the proposal must still pass through the European Parliament and Council before becoming law.
Do I need a breach register even if I never have a reportable breach?
Yes. Article 33(5) requires documentation of all personal data breaches, including those you assessed as not requiring notification. The register must record the facts, effects, and remedial actions for each incident, and it must allow the supervisory authority to verify your compliance during an audit.
Start Managing Cookie Compliance Before a Breach Happens
Cookies that set tracking identifiers without proper consent create exactly the kind of data processing gap that turns a routine security incident into a reportable breach. Running a regular cookie scan helps you know what personal data your site collects - so you are not caught off guard when something goes wrong.
