When a personal data breach occurs, controllers have 72 hours to notify their supervisory authority under Art. 33(1) GDPR. This is not a guideline – it is a legal obligation with direct enforcement consequences. In 2024 alone, European DPAs issued over EUR 40 million in fines where late or missing breach notification was a cited violation. The Irish DPC fined Bank of Ireland EUR 463,000 (Decision IN-21-5-1, 24 March 2024) specifically for failing to notify a breach within the 72-hour window. This article explains every element of the GDPR breach notification obligation: what triggers it, what the notification must contain, and when data subjects themselves must be informed.
Key Takeaways
- Controllers must notify the supervisory authority within 72 hours of becoming aware of a personal data breach under Art. 33(1) GDPR, unless the breach is unlikely to result in a risk to individuals.
- A “breach” covers confidentiality, integrity, and availability incidents – not just data theft.
- Late notification is itself a distinct GDPR violation that can trigger fines independently of the underlying breach.
- Data subjects must be notified under Art. 34 GDPR when the breach is likely to result in a high risk to their rights and freedoms.
What Constitutes a Personal Data Breach
Art. 4(12) GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” The EDPB Guidelines 9/2022 on personal data breach notification clarify three categories:
Confidentiality breach: Unauthorized disclosure or access. Examples: a database exposed on the public internet, credentials leaked in a phishing attack, an email containing personal data sent to the wrong recipient.
Integrity breach: Unauthorized alteration. Examples: ransomware that encrypts and modifies patient records, an employee who alters payroll data without authorization.
Availability breach: Loss of access to or destruction of personal data. Examples: a ransomware attack that renders data inaccessible (even if not exfiltrated), permanent loss of data due to server failure without backup, accidental deletion of a customer database.
A single incident can combine all three categories. The EDPB emphasizes that a breach does not require malicious intent – accidental breaches are equally covered. A misdirected email containing one person’s health data is a notifiable breach if it results in a risk to that individual.
The 72-Hour Notification Timeline
Art. 33(1) GDPR requires the controller to notify the competent supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware” of the breach.
When the clock starts
The 72-hour period begins when the controller has a “reasonable degree of certainty” that a security incident has compromised personal data. The EDPB Guidelines 9/2022 provide examples:
- If a controller detects a network intrusion and confirms within 2 hours that personal data was accessed, the 72 hours start from that confirmation.
- If a processor detects the breach, Art. 33(2) requires the processor to notify the controller “without undue delay.” The controller’s 72-hour clock starts when the processor informs it – not when the processor first detected the incident.
- A controller cannot delay “awareness” by failing to invest in detection systems. The AEPD, in Decision PS/00100/2022 (7 December 2022, EUR 120,000 fine against Mercadona), held that an organization’s failure to detect a breach for 3 months due to inadequate monitoring did not reset the notification clock.
When the 72 hours are exceeded
If notification is not made within 72 hours, Art. 33(1) requires the controller to provide “reasons for the delay” alongside the notification. This does not excuse the late notification – it creates a record that supervisory authorities will evaluate. Extended forensic investigation is a recognized reason for partial delay, but only if the controller notifies with available information and supplements it later under Art. 33(4).
Key distinction: Late notification is a separate infringement. Art. 83(4)(a) GDPR subjects notification failures to fines of up to EUR 10 million or 2% of global annual turnover. DPAs have imposed standalone fines specifically for late notification, even where the underlying breach was minor.
What the Notification Must Contain
Art. 33(3) GDPR specifies four mandatory elements of the notification to the supervisory authority:
1. Nature of the breach. Including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
2. Contact details of the DPO or other contact point. The data protection officer or another designated person who can provide further information.
3. Likely consequences of the breach. An assessment of the potential impact: identity theft, financial loss, reputational damage, discrimination, or other significant effects.
4. Measures taken or proposed. The steps taken to address the breach and mitigate its adverse effects, including containment measures, forensic investigation, and remediation actions.
If the controller does not have all information at the time of notification, Art. 33(4) allows phased notification – providing information “without undue further delay” as it becomes available. This is critical: the 72-hour obligation applies to the initial notification, not to a complete notification.
When to Notify Data Subjects Under Art. 34
Art. 34(1) GDPR adds a second notification obligation: when a breach is “likely to result in a high risk to the rights and freedoms of natural persons,” the controller must communicate the breach to the affected data subjects “without undue delay.”
The high-risk threshold
The threshold for data subject notification is higher than for supervisory authority notification. Art. 33 uses “risk” as the baseline; Art. 34 requires “high risk.” The EDPB Guidelines 9/2022 identify factors that indicate high risk:
- Nature of the data (health, financial, identity documents)
- Volume of affected individuals
- Severity of potential consequences (identity theft, financial fraud)
- Special characteristics of data subjects (children, patients, employees)
- Whether data was encrypted or otherwise protected
Exemptions from data subject notification
Art. 34(3) provides three exemptions where data subject notification is not required:
(a) The controller has implemented appropriate technical and organizational measures that render the data unintelligible to unauthorized persons – e.g., state-of-the-art encryption where the key was not compromised.
(b) The controller has taken subsequent measures that ensure the high risk is no longer likely to materialize.
© The notification would involve disproportionate effort, in which case a public communication or similar measure must be used instead.
Enforcement Examples: What Goes Wrong
DPC Ireland, Decision IN-21-5-1, 24 March 2024, EUR 463,000 fine against Bank of Ireland. The DPC found that the bank failed to notify a breach involving unauthorized access to customer accounts within 72 hours. The breach was detected by the bank’s internal systems but not escalated to the DPO for 9 days, triggering both Art. 33(1) and Art. 33(2) violations.
CNIL, Deliberation SAN-2022-021, 15 September 2022, EUR 800,000 fine against Discord Inc. The CNIL found multiple security failures, including inadequate breach detection and late notification. Discord’s password policy permitted 6-character passwords without complexity requirements, contributing to the breach.
ICO, Enforcement Notice EN-2023-007, 12 June 2023, against Interserve Group. The ICO fined Interserve GBP 4.4 million for security failures following a phishing attack that compromised 113,000 employees’ data. The ICO noted that Interserve delayed notification by over two weeks while conducting internal investigations, exceeding the 72-hour requirement.
AEPD, Decision PS/00547/2022, 22 November 2022, EUR 200,000 fine against CaixaBank. The AEPD found that CaixaBank failed to notify a breach affecting 5 million customers within 72 hours. The breach was caused by a configuration error in an internal application and was not reported for 11 days.
Building a 72-Hour Response Process
A compliant breach notification process requires preparation before a breach occurs. The following framework ensures the 72-hour timeline is achievable:
1. Detection mechanisms. Implement automated monitoring for unauthorized access, data exfiltration, and system integrity changes. The EDPB expects controllers to invest in detection proportionate to their risk profile.
2. Internal escalation protocol. Define who must be notified internally, in what order, and within what timeframe. The DPO must be informed immediately. A common failure pattern – as in the Bank of Ireland case – is that IT detects the breach but does not inform the DPO for days.
3. Assessment template. Pre-build a breach assessment form that maps to Art. 33(3) requirements: nature, scope, likely consequences, and proposed measures. Having this template ready saves hours during a crisis.
4. Supervisory authority contact details. Maintain current contact information for every supervisory authority where your organization has data subjects. For GDPR compliance checklists, include breach notification readiness as a standing item.
5. Data subject communication template. Pre-draft notification templates for Art. 34 communications. These must be clear, specific, and avoid minimizing the breach.
6. Post-breach documentation. Art. 33(5) requires controllers to document all breaches, including facts, effects, and remedial actions – even breaches that do not require notification because they are unlikely to result in a risk. This breach register is subject to supervisory authority inspection.
FAQ
Does every data breach require notification to the supervisory authority?
No. Art. 33(1) GDPR only requires notification when the breach “is likely to result in a risk to the rights and freedoms of natural persons.” If the breach is unlikely to result in any risk – for example, an encrypted laptop is lost but the encryption key was not compromised – notification is not required. However, the controller must still document the breach in its internal breach register under Art. 33(5).
What happens if we miss the 72-hour deadline?
Late notification is a distinct violation of Art. 33(1) GDPR, subject to fines under Art. 83(4)(a) of up to EUR 10 million or 2% of global turnover. The controller must still notify, explaining the reasons for the delay. Supervisory authorities assess the length and reasons for the delay when determining the fine. Complete failure to notify is treated more severely than late notification.
Does the 72-hour rule apply to processors?
Processors are not directly subject to the 72-hour notification obligation to supervisory authorities – that obligation falls on controllers. However, Art. 33(2) requires processors to notify the controller “without undue delay” after becoming aware of a breach. The data processing agreement should specify the processor’s notification timeframe, typically 24-48 hours.
Can phased notification satisfy the 72-hour requirement?
Yes. Art. 33(4) explicitly permits information to be provided “in phases” without undue further delay. The initial notification within 72 hours must include whatever information is available at that point. Supplementary information can follow as the investigation progresses. This approach is specifically designed for complex breaches where full details are not immediately available.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
