A personal data breach just hit your SaaS. Systems are contained, forensics are underway — and now your DPO is asking: what do we file with the DPA, and do we have to tell users?
GDPR Articles 33 and 34 set two separate notification obligations. Getting them right — especially the 72-hour deadline — matters enormously. Supervisory authorities have issued fines specifically for late or incomplete breach notifications (Meta: €265M, British Airways: £20M originally, Marriott: £18.4M originally). This guide covers exactly what you need to submit.
The Two Notification Obligations Under GDPR
| Article | Obligation | Threshold | Deadline | Recipient |
|---|---|---|---|---|
| Art. 33 | Supervisory Authority notification | Breach likely to result in ANY risk to individuals | 72 hours from awareness | Lead DPA |
| Art. 34 | Individual notification | Breach likely to result in HIGH risk to individuals | Without undue delay | Affected individuals |
Key point: The Art. 33 threshold is lower than Art. 34. You can be required to notify the DPA but not individuals. You are rarely required to notify individuals without also notifying the DPA.
When the 72-Hour Clock Starts
The 72 hours run from when the controller becomes aware of the breach — not when it occurred. The EDPB has clarified that a controller becomes "aware" when it has "reasonable degree of certainty" that a security incident has occurred that compromised personal data.
In practice:
- A monitoring alert fires at 2 AM → clock starts at 2 AM
- A customer reports suspicious login activity → clock starts on receipt of the report
- An employee discovers a misconfigured S3 bucket is publicly accessible → clock starts on discovery
- A sub-processor tells you about a breach affecting your users → clock starts when you receive their notification
If you become aware over a weekend, the 72-hour clock still runs. Most EU DPAs accept late notifications with a valid explanation, but you should document the reason.
When You DON'T Have to Notify the DPA (Art. 33 Exemption)
Art. 33(1) contains a narrow exemption: notification is not required where "the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."
This exemption is genuinely narrow. It applies in situations such as:
- A test/development database with no real personal data was exposed
- Encrypted data was accessed and the encryption key was not compromised (encryption safe harbour)
- An employee accidentally sent an internal document to a wrong internal email address with no external exposure
When in doubt, notify. The EDPB's position is that under-reporting is a bigger problem than over-reporting. Many DPAs offer informal consultations before formal notification if you are uncertain.
Article 33(3) — Mandatory Content for DPA Notification
Art. 33(3) sets out the six required elements of a DPA notification. Every notification must include:
| Art. 33(3) | Required Information | Common Mistakes |
|---|---|---|
| (a) Nature of breach | Categories and approximate number of data subjects and records affected; nature of the breach (confidentiality / integrity / availability) | Being vague about what data was involved; not distinguishing record count from data subject count |
| (b) DPO / contact point | Name and contact details of the DPO or other point of contact | Listing generic 'privacy@' without a named person |
| (c) Likely consequences | Description of the likely consequences of the breach | Generic boilerplate ('individuals may be at risk'); DPAs want specific consequences for this specific breach |
| (d) Measures taken / proposed | Measures taken or proposed to address the breach, including to mitigate its possible adverse effects | Only listing technical measures; forgetting to include measures to help affected individuals |
Art. 33(4) — Phased notification: If you don't have all the information within 72 hours, you may submit an initial notification with what you know, followed by further information "without undue delay." Always clearly mark your submission as "INITIAL — further information to follow."
Where to Notify — Your Lead DPA
Under the one-stop-shop mechanism (Art. 56), if you operate across the EU, you notify your lead supervisory authority — the DPA in the country where you have your EU main establishment.
| Country | DPA | Breach Notification Portal |
|---|---|---|
| Estonia | Andmekaitse Inspektsioon (AKI) | aki.ee — breach register |
| Ireland | Data Protection Commission (DPC) | dataprotection.ie/en/report-a-breach |
| Germany | BfDI + state DPAs | Per-state portals; bfdi.bund.de |
| France | CNIL | notifications.cnil.fr |
| Netherlands | Autoriteit Persoonsgegevens (AP) | autoriteitpersoonsgegevens.nl |
| UK (post-Brexit) | Information Commissioner's Office (ICO) | ico.org.uk/for-organisations/report-a-breach |
| Italy | Garante | gpdp.it |
| Spain | AEPD | aepd.es |
Article 34 — When You Must Notify Individuals
Art. 34(1) requires individual notification when the breach is "likely to result in a high risk to the rights and freedoms of natural persons." This is a higher threshold than Art. 33.
High-risk indicators include:
- Special category data exposed (health, biometric, racial origin, sexual orientation, political opinions)
- Financial data (bank accounts, card numbers) that could enable fraud
- Login credentials that could enable account takeover
- Children's data
- Large scale exposure (thousands of records)
- Data that enables identity theft
- Location data that could enable physical harm
Article 34(3) — Three Exemptions from Individual Notification
| Art. 34(3) | Exemption | When it applies |
|---|---|---|
| (a) | Appropriate technical / organisational measures | Data was encrypted and key was not compromised; or data was pseudonymised and re-identification is not possible |
| (b) | Subsequent measures eliminate high risk | You have acted to ensure high risk is no longer likely to materialise |
| (c) | Disproportionate effort | Cannot contact individuals; must use public communication instead. Document why. |
Even if you use an exemption, document your reasoning in your Art. 33(5) breach register. The DPA may ask for it.
What to Include in Individual Notifications (Art. 34(2))
Individual notifications must include:
- Description of the nature of the breach in clear, plain language
- Name and contact details of the DPO / privacy contact
- Likely consequences of the breach
- Measures taken or proposed, including measures individuals can take to protect themselves
Critically: "clear and plain language" is taken seriously. Avoid legal jargon. The EDPB recommends writing at a general reading level.
Article 33(5) — The Breach Register (Often Forgotten)
Every breach must be documented in an internal breach register — even if you decide NOT to notify the DPA. This register must include:
- The facts of the breach
- Its effects
- Remedial action taken
- Your reasoning for not notifying (if applicable)
Supervisory authorities routinely request this register during inspections and after complaints. A complete register also protects you: it shows you took the breach seriously and made a documented, reasoned decision.
Processor-Side Obligations (Art. 33(2))
If you are a data processor (you process personal data on behalf of a controller), you must notify your controller without undue delay after becoming aware of a breach — usually interpreted as within 24–48 hours, giving the controller time to meet their 72-hour DPA notification window.
Your DPA (Data Processing Agreement) should specify the exact notification timeline and method. If it doesn't, that's a gap you should fix.
Build Your Breach Response Stack
- GDPR Breach Notification Template Generator — Art. 33 DPA form + Art. 34 individual notice + breach register entry
- Incident Response Plan Generator — covers detection, containment, notification workflow
- Information Security Policy Generator — includes breach classification and escalation
- GDPR DPA Generator — Art. 33(2) processor notification clause
- GDPR RoPA Generator — needed to identify which processing activities were affected
- GDPR 72-Hour Rule Overview
- GDPR Data Subject Rights Guide
⚠️ This article is for informational purposes only and does not constitute legal advice. GDPR breach notification requirements and enforcement evolve regularly. Consult your DPO and qualified legal counsel before submitting any breach notification to a supervisory authority.