Article 33 of the GDPR requires controllers to notify the competent supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 34 adds a separate duty to notify affected data subjects when the risk is "high." That is the one-paragraph version. The details are where organizations get hurt.

When the 72-Hour Clock Starts

The clock starts when the controller becomes aware of the breach. The European Data Protection Board's Guidelines 9/2022 define awareness as the moment the controller has a reasonable degree of certainty that a security incident has occurred leading to personal data being compromised.

  • A vague alert is not awareness. A confirmed incident affecting personal data is.
  • Once aware, the clock does not pause because you are still investigating. Article 33 explicitly anticipates this — you can submit an initial notification and provide further information in phases.
  • If your processor (say, a SaaS vendor) becomes aware, they must notify you "without undue delay." Your clock starts when they tell you — but you can hold them accountable for delay in their contract.

What the Notification Must Contain

Article 33(3) mandates minimum content:

  • Nature of the breach, categories and approximate number of data subjects concerned, and categories and approximate number of records.
  • Name and contact details of the DPO or other contact point.
  • Likely consequences of the breach.
  • Measures taken or proposed to address the breach and mitigate its adverse effects.

If you cannot provide all the information at once, phase it. Most DPAs provide online portals — the UK ICO, CNIL (France), BfDI (Germany federal), and the Irish DPC all have web forms. Use them rather than email where possible; the portal produces a reference number that is useful for later correspondence.

Which DPA?

The "lead supervisory authority" under the one-stop-shop mechanism is the DPA of the controller's main establishment in the EU. For companies with a single EU hub, this is straightforward. For cross-border cases, the lead DPA coordinates with the other concerned DPAs.

Non-EU controllers covered by Article 3(2) (offering goods/services to data subjects in the EU, or monitoring their behavior) notify the DPA of the member state where affected data subjects are primarily located, or where an EU representative is designated.

When Subject Notification Is Required

Article 34 kicks in when the breach is likely to result in a "high risk" to rights and freedoms. Factors to weigh:

  • Type of breach (confidentiality vs. integrity vs. availability).
  • Nature of the data (special categories under Article 9 raise the bar).
  • Ease of identifying individuals from the compromised data.
  • Severity of consequences (financial loss, identity theft, discrimination).
  • Special characteristics of the data subjects (children, vulnerable populations).
  • Volume and persistence of the data.

Three exceptions let you skip subject notification:

  1. The data was rendered unintelligible (e.g., strong encryption) and the keys remain safe.
  2. Measures taken after the breach ensure the high risk is no longer likely to materialize.
  3. Direct communication would involve disproportionate effort — in which case a public communication or equivalent substitute is required.

Recent Enforcement in Perspective

Fines that have shaped practical interpretation:

  • Meta Platforms Ireland — €1.2B (May 2023). EU-US data transfer case under Chapter V, not specifically a breach notification fine, but the single largest GDPR penalty and a reminder that the upper bound (4% of global turnover or €20M, whichever is higher) is real.
  • TikTok — €345M (September 2023), Irish DPC. Children's data processing violations; illustrates how special-category and vulnerable-population data drives sanctions.
  • Amazon — €746M (July 2021), Luxembourg CNPD. Advertising consent, not a breach per se, but the fine is a common reference point for severity.
  • Clearview AI — €20M each by France, Italy, Greece, UK. Processing without lawful basis plus cooperation failures.

Breach-notification-specific fines tend to be smaller but frequent — tens or hundreds of thousands of euros, often tied to late notification rather than the underlying incident. The aggravating factor DPAs cite most often is "we waited to be sure before notifying." The rule is to notify in phases, not to wait.

Documentation Requirements

Article 33(5) requires controllers to document all personal data breaches — including those not notified — with:

  • Facts relating to the breach.
  • Its effects.
  • Remedial action taken.

This record is what DPAs ask for during audits. "We assessed and did not notify because it was low risk" is a legitimate outcome, but only if the assessment is written down and defensible.

Practical Preparation

  • Keep a pre-filled template of the Article 33 notification content for your most common scenarios.
  • Maintain a list of DPAs and portal URLs for every jurisdiction in your scope.
  • Have an EU representative designated and contactable if you are a non-EU controller under Article 27.
  • Run a table-top exercise annually with the 72-hour clock as a constraint. You will find gaps in your detection and escalation that would otherwise surface during a real incident.

GDPR breach notification is less about perfection than about demonstrable good faith: notify on time with what you know, update as you learn more, document your reasoning either way. DPAs reward that discipline and punish the opposite.