GDPR Article 33: Personal Data Breach Notification (72 Hours)

In one sentence. GDPR Article 33 requires the controller to notify the supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects. The notification must include the nature of the breach, categories and approximate numbers affected, likely consequences, and measures taken or proposed. Processors must notify the controller without undue delay of any breach. Article 34 separately covers communication to data subjects when the risk is high.

Article 33 is the GDPR’s most operationally demanding obligation. The 72-hour deadline starts when the controller becomes aware of the breach — not when investigation completes. This means most controllers need a pre-built notification workflow ready before the first breach occurs, because the time pressure is real.

For the data subject communication, see Article 34. For security obligations: Article 32 security. For the French-language deep-dive: article 33 RGPD.

Key takeaways

• 72-hour deadline starts when the controller becomes aware of the breach.
• Notification required unless the breach is unlikely to result in a risk — narrow exemption.
• Late notification must be justified with reasons for the delay.
• Notification can be phased — initial within 72h with subsequent updates.
• Processors must notify controllers without undue delay (typically 24-48h).

1. What triggers Article 33

A “personal data breach” (Article 4(12)) means a breach of security leading to:

• Destruction (intentional or accidental)
• Loss (lost USB, deleted backup without recovery)
• Alteration (data corruption, unauthorized modification)
• Unauthorised disclosure (sent to wrong recipient, leak)
• Unauthorised access (insider misuse, external attack)

Common incidents qualifying as breaches:

• Ransomware attack (availability impact + potential disclosure)
• Misdirected email containing personal data
• Lost or stolen laptop with unencrypted data
• Database left publicly accessible by misconfiguration
• Employee accessing records outside their need
• Vendor breach exposing customer data
• Phishing leading to credential compromise

2. The “awareness” trigger

The 72-hour clock starts when the controller becomes aware of the breach. Per EDPB Guidelines 9/2022:

• Awareness = reasonable certainty that a security incident has occurred and led to personal data being compromised
• Not the moment of detection (which may be inconclusive)
• Not after full investigation (which may take weeks)
• The threshold is “reasonable certainty”

In practice: when the controller’s incident response team confirms that personal data has been affected, awareness is established.

3. The 72-hour deadline

Notification “where feasible, not later than 72 hours after having become aware”. If the deadline is missed:

• Notification must still be made
• It must be accompanied by reasons for the delay

The CNIL and other DPAs accept delayed notifications when the controller can document why 72h was infeasible (complex investigation, weekend timing, multinational coordination). They are far less tolerant when delay is unexplained.

4. The “unlikely to result in a risk” exemption

Article 33(1) creates a narrow exemption: notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The EDPB has clarified this is strictly interpreted:

• Unlikely to result in a risk = essentially no risk to data subjects
• Pseudonymised data with keys NOT compromised → may qualify
• Encrypted data with strong encryption, keys NOT compromised → may qualify
• Data publicly available anyway → may qualify

When in doubt, the EDPB recommends notifying rather than relying on the exemption.

5. Content of the notification (Article 33(3))

The notification must include:

1. Nature of the breach (description of what happened)
2. Categories and approximate number of data subjects concerned
3. Categories and approximate number of personal data records concerned
4. Name and contact details of the DPO (or other contact point)
5. Likely consequences of the breach
6. Measures taken or proposed to address the breach and mitigate its possible adverse effects

If complete information is not available within 72h, the controller can provide it in phases without undue further delay (Article 33(4)).

6. The processor’s obligation (Article 33(2))

The processor must notify the controller without undue delay after becoming aware of a breach. The GDPR doesn’t specify hours — in practice:

• 24-48 hours is the contractual norm in modern DPAs
• The processor cannot wait until they’ve “fixed” the problem — they must alert the controller as soon as they know

A processor that delays notifying the controller, causing the controller to miss the 72h authority deadline, is exposed to:

• Breach of contract under the DPA
• Direct sanction under Article 28 (subprocessor obligations)
• Sanction under Article 83(4)(a)

7. The internal documentation requirement (Article 33(5))

The controller must document any personal data breach, including:

• The facts relating to the breach
• Its effects
• The remedial action taken

This documentation requirement applies to all breaches — including those not notified to the authority. The breach register is what the DPA inspects to assess whether the exemption analysis was sound.

8. Notification mechanism

Each EU supervisory authority has its own notification portal:

• France (CNIL): notifications.cnil.fr
• Germany (BfDI + Landes): federal portal + state-specific
• Spain (AEPD): web form via headquarters
• Italy (Garante): dedicated procedure
• Ireland (DPC): online webform

For cross-border breaches affecting multiple Member States, notify the lead supervisory authority (Article 56) — the DPA where the controller has its main establishment.

9. Coordination with Article 34

If the breach is likely to result in a high risk (higher threshold than Article 33), the controller must also communicate to data subjects under Article 34. The two obligations run in parallel:

• Article 33: any risk → notify authority within 72h
• Article 34: high risk → notify data subjects without undue delay

See Article 34 breach communication.

10. Coordination with NIS2

For organizations subject to NIS2 (essential and important entities), breaches affecting both personal data AND cyber operations trigger two parallel obligations:

• GDPR Article 33: 72h to supervisory authority
• NIS2: 24h early warning + 72h initial notification + 1 month final report to national cybersecurity authority

Integrated incident response is essential.

11. Sanctions

Article 83(4)(a) places Article 33 violations at the lower fine tier — up to €10M or 2% of global annual turnover.

Notable cases:

• British Airways (ICO, 2019, reduced to £20M): late notification cited
• Marriott (ICO, 2020, £18.4M): Article 33 + Article 32 failures
• Hôpital de Bourges (CNIL, 2022, €60K): partly Article 33
• Multiple SMB sanctions €5K-€50K for non-notification

The Article 33 sanction often compounds with Article 32 (security) and Article 34 (data subject communication) failures.

12. Practical workflow

Pre-breach (build before you need it)

• ☐ Incident response playbook documented
• ☐ DPO + tech lead + legal in incident response team
• ☐ Pre-drafted notification template for the relevant DPA
• ☐ Mapping of which DPA is lead supervisory authority
• ☐ Communication channels with critical processors (24h notification SLA)

Day 0 — Detection

• Cellule de crise activated
• Containment (isolate, revoke access)
• Forensic preservation
• DPO/CISO informed

Day 0-1 — Qualification

• Is this a personal data breach?
• What data is affected? What categories?
• How many data subjects?
• Likely consequences?

Day 1-2 — Decision

• Risk assessment → notify or not?
• If yes: draft notification
• If no: document the exemption analysis

Day 2-3 — Notification (within 72h)

• Submit to supervisory authority via portal
• If incomplete information: file initial notification with commitment to supplement

Days 3-30 — Follow-up

• Supplementary information to DPA
• Article 34 communication to data subjects if applicable
• Internal documentation in breach register

Months 1-6 — Closure

• Remediation completed
• Final report to DPA
• Lessons learned documented
• Process improvements implemented

13. Tooling

Legiscope handles the Article 33 workflow: incident classification, 72-hour deadline tracking, pre-drafted notification templates per DPA, processor breach notification coordination, breach register with full audit trail.

For related deep-dives: Article 32 security, Article 34 breach communication, GDPR data breach notification, Article 33 RGPD (FR).

Conclusion

Article 33 is one of the most-tested provisions of the GDPR — and the most prone to operational failure. The 72-hour deadline is unforgiving for unprepared organizations. The fix is preparation: build the incident response workflow before the first breach, test it annually, and ensure processors are contractually bound to fast notification.

FAQ

When does the 72-hour clock start?

When the controller becomes aware of the breach — defined by EDPB as reasonable certainty that a security incident has occurred and led to personal data being compromised. Not the moment of detection (which may be inconclusive).

What if I miss the 72-hour deadline?

You must still notify, accompanied by reasons for the delay. DPAs accept justified delays (complex investigation, multinational coordination) but sanction unexplained delays.

Do I need to notify every breach?

No — only breaches likely to result in a risk to data subjects. The exemption is narrow. When in doubt, notify. All breaches (including non-notified) must be documented in your internal breach register.

What if the breach happened at my processor?

The processor must notify you without undue delay. Your 72h to the authority starts from when you become aware. Modern DPAs typically require processor notification within 24h.

Are there special rules for cross-border breaches?

Yes. Notify the lead supervisory authority under Article 56 — the DPA where you have your main establishment. They coordinate with other concerned DPAs under Article 60.