EUR-Lex GDPR Article 33: 72 Hours Breach Notification

In one sentence. GDPR Article 33 — published on EUR-Lex as part of Regulation (EU) 2016/679 — requires the controller to notify the competent supervisory authority of any personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Delay beyond 72 hours requires written justification.

The 72-hour clock and the “awareness” trigger are the two most-litigated elements of Article 33. EDPB Guidelines 9/2022 on personal data breach notification clarify both. The provision is enforced through Article 83(4)(a) — up to €10M or 2% of global turnover.

Key takeaways

• 72-hour notification deadline starting from “awareness”.
• Exception: breach unlikely to result in risk to rights and freedoms.
• Notification must contain 4 mandatory elements (Article 33(3)).
• Phased notification permitted (Article 33(4)).
• Processor must notify controller without undue delay (Article 33(2)).
• All breaches must be internally documented even if not notified (Article 33(5)).

1. Article 33 official text (EUR-Lex)

Article 33 — Notification of a personal data breach to the supervisory authority

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3. The notification referred to in paragraph 1 shall at least: (a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; © describe the likely consequences of the personal data breach; (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Source: EUR-Lex — official EU publication.

2. The 72-hour clock: when does it start?

EDPB Guidelines 9/2022 define awareness as the moment when the controller has a reasonable degree of certainty that a security incident has occurred and led to personal data being compromised.

• Initial alert ≠ awareness
• Brief investigation period permitted to confirm breach occurred
• Once confirmed, 72-hour clock starts
• Weekends and holidays count

3. Notification content (Article 33(3))

Four mandatory elements:

1. Nature of breach + categories + approximate numbers (subjects and records)
2. DPO/contact for more information
3. Likely consequences
4. Measures taken or proposed including mitigation

Most national DPAs (CNIL, ICO, Garante, AEPD, BfDI) provide online notification forms aligned with these elements.

4. Phased notification (Article 33(4))

If initial 72-hour notification cannot include all required information, supplementary notifications are permitted. Common phasing:

• T+72h: known scope, initial measures
• T+7-14 days: forensic findings, refined numbers
• T+30 days: final report, root cause, remediation status

5. The “unlikely to result in risk” exception

EDPB risk-assessment factors:

• Type and sensitivity of data
• Ease of identification
• Severity of consequences (financial, identity theft, discrimination)
• Special categories (Article 9) — almost always require notification
• Volume of affected data subjects

Encryption with strong keys held only by controller can support a “no risk” conclusion if confidentiality breach only.

6. Article 33(5) — internal documentation

Even breaches not notified to the DPA must be documented internally. Documentation includes:

• Date of incident and discovery
• Facts and categories
• Risk assessment with justification for not notifying
• Remedial action

Failure to document is itself sanctionable.

7. Article 34 — notification to data subjects

When the breach is likely to result in a high risk, the controller must also notify the affected individuals without undue delay (Article 34). Exceptions: encryption, subsequent measures eliminating risk, disproportionate effort (public communication instead).

8. Sanctions and benchmark cases

Article 83(4)(a) — up to €10M or 2% of global turnover.

Notable cases:

• Marriott (ICO 2020): £18.4M for delayed notification
• British Airways (ICO 2020): £20M, multiple Article 33 issues
• Twitter (Irish DPC 2020): €450,000 specifically for late notification (one of the first Article 33 sanctions)
• Equifax (BfDI 2018, pre-GDPR but cited): notification timing benchmark
• Uber (Dutch AP 2018): €600,000 for concealing 2016 breach

9. Processor obligations (Article 33(2))

The processor must notify the controller without undue delay — typically interpreted as within 24-48 hours in DPAs (Article 28 contracts). The processor does not notify the DPA directly — the controller does.

This is why every Article 28 DPA should specify a precise processor notification deadline (commonly 24 hours).

10. EDPB Guidelines 9/2022 — main updates vs WP250

• Clearer guidance on awareness threshold
• Strengthened expectations for non-EU controllers (representative role)
• Detailed cross-border notification mechanics (one-stop-shop)
• Clarified delegation to processors

11. Tooling

Legiscope ships a 72-hour breach timer triggered on awareness, with EDPB Guidelines 9/2022-aligned risk assessment, DPA notification form auto-fill (CNIL, ICO, Garante, AEPD, BfDI, others), Article 33(5) internal log, and Article 34 individual notification workflow.

For related: GDPR data breach notification guide, Article 28 DPA.

FAQ

Where can I find the official EUR-Lex text of GDPR Article 33?

EUR-Lex Regulation (EU) 2016/679, Article 33. Available in all 24 EU languages.

What does the 72-hour deadline cover?

The deadline to notify the competent supervisory authority of a personal data breach, starting from when the controller becomes aware of it (EDPB Guidelines 9/2022 define “awareness” as reasonable certainty).

When does the 72-hour clock start?

When the controller has a reasonable degree of certainty that a personal data breach has occurred — not the moment of initial alert. A brief investigation to confirm the breach is permitted.

What if I miss the 72-hour deadline?

Notification is still required, but must be accompanied by written reasons for the delay (Article 33(1) last sentence). DPAs treat late notification as an aggravating factor.

What information must the notification contain?

Four elements per Article 33(3): nature + numbers, DPO contact, likely consequences, measures taken or proposed.