In one sentence. GDPR Article 34 requires the controller to communicate a personal data breach to affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms — distinct from Article 33, which requires notifying the supervisory authority within 72 hours regardless of risk severity. Three exemptions in Article 34(3) lift the obligation, the most-invoked being prior implementation of measures (typically encryption) that render the data unintelligible to unauthorized parties.
Article 34 is the public-facing half of breach notification. Article 33 (notification to DPA) protects the regulator. Article 34 protects the data subject — who needs to know they should change their password, watch their bank account, or freeze their credit. Get this wrong and you face two enforcement angles: the technical 72h failure (Article 33) AND the failure to warn the affected individuals (Article 34).
For DPA notification (the parallel obligation), see Article 33 RGPD breach notification. For the security measures whose adequacy determines whether a breach is high-risk, Article 32 security of processing.
Key takeaways
- Trigger: breach likely to result in high risk to rights and freedoms (higher threshold than Article 33’s “any risk”).
- Timing: without undue delay — typically days, faster than Article 33’s 72h.
- Three exemptions in Article 34(3): prior protective measures (encryption), subsequent measures eliminating the high risk, or disproportionate effort (then a public communication is required instead).
- The DPA may compel communication if the controller doesn’t (Article 34(4)).
- Article 34 violations frequently combine with Articles 32, 33, and 5(1)(f) sanctions.
1. Article 34 — when does it apply?
Article 34(1): when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate it to the data subjects without undue delay.
Three thresholds compared:
| Article | Trigger threshold | Recipient |
|---|---|---|
| Article 33 | Any risk to rights and freedoms (broad) | Supervisory authority |
| Article 34 | High risk to rights and freedoms (narrow) | Data subjects |
| Article 33(2) | Any breach (processor → controller) | Controller |
The Article 34 trigger is higher than Article 33. Many breaches require Article 33 notification but not Article 34 communication.
2. What is “high risk”?
The EDPB Guidelines 9/2022 list factors:
- Type of breach: confidentiality (exposure) ranks higher than availability (temporary unavailability)
- Nature, sensitivity, volume of data: special category data (health, biometric) → high risk by default; large volume increases risk
- Ease of identification: clear identifiers + names → high; pseudonymized → lower
- Severity of consequences: identity theft, financial loss, discrimination, reputational damage → high
- Special characteristics: children, vulnerable individuals → higher
- Number affected: large numbers increase systemic risk
Practical scoring: same 5-dimension method as Article 33 (categories, nature, volume, identifiability, consequences). When 3+ dimensions are in the elevated zone, communicate to data subjects.
3. Timing — “without undue delay”
Article 34 doesn’t specify a numerical deadline (Article 33’s 72h doesn’t apply). “Without undue delay” is interpreted in light of:
- Severity and urgency
- Practical capacity to identify affected individuals
- Time to prepare a clear, actionable communication
Practical timing:
- Day 0-1: discovery + initial qualification
- Day 1-2: confirm scope, identify affected individuals
- Day 2-5: prepare and send communication (parallel with Article 33 notification)
Beyond a week, the controller must justify the delay in the eventual communication.
4. Content of the communication (Article 34(2))
The communication must:
- Use clear and plain language
- Describe the nature of the breach
- Provide the DPO contact (or other contact point)
- Describe the likely consequences of the breach
- Describe the measures taken or proposed to address the breach and mitigate its possible adverse effects
- Recommend specific actions the data subject can take
Compliant communication template
Subject: Important: Personal Data Breach Notification
Dear [Name],
We are writing to inform you that on [date] we discovered a security
incident affecting some of your personal data we hold.
What happened
[Specific factual description of the incident, when discovered, what was
exposed]
What data was affected
[Specific categories of YOUR data — name, email, encrypted password,
order history, etc.]
What this means for you
[Realistic assessment of risks — e.g., risk of phishing using your
email, risk of password being attempted on other services]
What we have done
[Specific remediation: passwords reset, accounts locked, vulnerability
patched, third-party security firm engaged]
What you should do
[Specific actionable recommendations:
- Change your password on our service AND on any service where you
reused it
- Enable two-factor authentication
- Be alert to phishing emails referencing your account
- Monitor your bank statements / credit report]
Contact
For questions: dpo@company.com or +33 1 XX XX XX XX
You also have the right to lodge a complaint with the CNIL (cnil.fr/plaintes).
[Signature, company]
5. The three exemptions (Article 34(3))
Article 34(3) lifts the communication obligation if:
(a) Appropriate technical and organisational protection measures applied
Specifically: measures that render the data unintelligible to unauthorized parties (typically encryption).
Example accepted: encrypted laptop stolen, encryption keys not compromised → no Article 34 communication required (still Article 33 notification). Example rejected: encrypted database with keys stored on the same server that was compromised — keys also taken, data effectively unencrypted.
(b) Subsequent measures ensuring the high risk is no longer likely
Example: phishing site detected and taken down within hours, before any data subject was actually harmed.
© Disproportionate effort
In this case, a public communication (press release, dedicated webpage) is required instead. The DPA may scrutinize whether the alternative was adequate.
6. The DPA’s compelling power (Article 34(4))
If the controller does not communicate when Article 34 applies, the DPA may:
- Require the controller to do so
- Decide that one of the conditions in Article 34(3) is met
This is enforcement by compulsion — and typically comes with separate sanctions for the failure to communicate proactively.
7. Coordination with Article 33
Article 33 (DPA notification, 72h) and Article 34 (data subject communication, undue delay) often run in parallel:
| Time | Action |
|---|---|
| Day 0 (discovery) | Containment, initial qualification |
| Day 0-1 | Risk assessment (Article 33 + 34 evaluation) |
| Day 0-3 | Article 33 notification to DPA (within 72h) |
| Day 1-5 | Article 34 communication to data subjects (without undue delay) |
| Day 7-14 | Public communication if scale warrants |
| Day 14+ | Final report to DPA, lessons learned |
8. Special cases
Mass breaches
For breaches affecting millions, individual email is unrealistic. The CNIL accepts:
- Banner notice on the affected service
- Press release
- Email to known contacts + dedicated FAQ page
But this is the © disproportionate effort path — must be justified.
Vulnerable populations
Children, hospitalized, deceased — the controller must use age-appropriate language and consider parents/guardians/successors.
Cross-border breaches
Affected residents of multiple EU Member States — communication in their respective languages may be required.
9. Sanctions
| Year | Sanction | Article 34 issue |
|---|---|---|
| 2020 | Marriott (ICO) — £18.4M | Late and inadequate communication to affected guests |
| 2022 | TIM SpA (Garante) | Multiple Article 33/34 failures |
| 2022 | Hôpital de Bourges (CNIL) — €60K | Health data exposed, Article 34 inadequate |
| 2024 | Multiple SaaS (CNIL) — €50K-€500K | Failure to communicate breaches to users |
Article 83(4)(a) places Article 34 violations at the lower fine tier — up to €10M or 2% of global annual turnover. But combined with Article 32 inadequacy and Article 33 timing failures, total sanctions in major cases reach the upper tier.
10. Implementation checklist
- ☐ Incident response playbook includes Article 34 evaluation step
- ☐ 5-dimension risk scoring documented
- ☐ Communication templates pre-drafted (per scenario type)
- ☐ Process to identify affected individuals (database query rehearsed)
- ☐ Channel ready (transactional email system separate from marketing)
- ☐ Multilingual templates if cross-border
- ☐ DPO contact + alternative point of contact designated
- ☐ Mass-breach plan: dedicated webpage + press release process
- ☐ Decision matrix on (a) protective measures exemption — pre-documented per data category
- ☐ Records of communication retained 5 years
11. Tooling
Legiscope handles the Article 34 workflow alongside Article 33: risk scoring, decision support, communication templates, recipient list generation, audit trail.
For related deep-dives: Article 33 RGPD breach notification, Article 32 security, Article 35 DPIA, GDPR data breach notification.
Conclusion
Article 34 is where breach response meets customer trust. The decision to communicate or not — and how — is scrutinized after the fact by both DPAs and customers. Pre-built templates, a documented risk scoring process, and a tested workflow shrink the decision time from days to hours, which matters for both legal and reputational outcomes.
FAQ
When must I communicate a breach to data subjects under GDPR?
When the breach is likely to result in a high risk to their rights and freedoms (Article 34(1)). This is a higher threshold than the Article 33 trigger for notifying the DPA. Many breaches require DPA notification but not data subject communication.
What’s the deadline?
“Without undue delay” — Article 34 doesn’t specify hours. In practice, days from discovery. The Article 33 72h deadline doesn’t apply.
Are there exemptions?
Three: (a) prior protective measures (typically encryption) rendering the data unintelligible, (b) subsequent measures eliminating the high risk, © disproportionate effort — in which case a public communication is required instead.
What must the communication contain?
Clear and plain language describing the nature of the breach, DPO contact, likely consequences, measures taken to mitigate, and specific actions the data subject can take (change password, watch bank statements, etc.).
What happens if I don’t communicate when I should?
The DPA may compel communication (Article 34(4)) AND impose sanctions for the failure. Article 34 sanctions sit at the lower tier (up to €10M or 2% of turnover) but combine with Article 32 / 33 failures in major cases.
Legiscope automates this for you
Stop doing compliance manually. Legiscope's AI handles ROPA creation, DPA audits, and gap analysis — in minutes, not weeks.
Start free trial
