Article 33 - notifying the supervisory authority

Article 33 requires the controller to notify the supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware, unless the breach is unlikely to risk individuals' rights and freedoms. 'Awareness' means a reasonable degree of certainty a breach has occurred. Breach detection is implicitly required. Article 33(2): processors notify the controller without undue delay and do not assess risk. Article 33(3)/(4): set out content and allow phased notification. Article 33(5): keep a register of all breaches, including those not notified.

Article 33 requires notification of breaches to the regulator. The trigger is detection - the duty arises after the controller becomes aware. The WP29 says a controller is 'aware' when it has a reasonable degree of certainty a security incident has occurred that compromised personal data; there is a short grace period to investigate, but the emphasis is on prompt action. Because of this, breach detection measures (e.g. data flow and log analysers, an SOC) are implicitly required by the security principle and Recital 87 - a controller cannot dodge the rules by failing to detect.

Once a suspected breach is detected, the controller decides if it meets the definition and, if so, whether it is likely to cause a risk to rights and freedoms. If it is not likely to cause a risk, it need not be notified. The WP29 lists factors: type of breach; nature, sensitivity and volume of data; ease of identifying individuals; severity of consequences; special characteristics of the individuals; special characteristics of the controller; number of individuals affected. Controllers should err on the side of caution and notify borderline cases; the ENISA methodology helps assess severity.

Key parameters of Article 33
Provision	What it covers
Article 33(1)	Notify the supervisory authority without undue delay and, where feasible, within 72 hours of awareness, unless unlikely to risk rights and freedoms
Article 33(2)	Processors notify the controller without undue delay - and do NOT perform a 'risk to rights and freedoms' assessment
Article 33(3)	Core content the notification must contain
Article 33(4)	Allows phased notification where all information is not yet available
Article 33(5)	Keep a register of all breaches (notified and not notified); no long-stop date, enabling retrospective regulator review

Key parameters of Article 33

Provision

What it covers

Article 33(1)

Notify the supervisory authority without undue delay and, where feasible, within 72 hours of awareness, unless unlikely to risk rights and freedoms

Article 33(2)

Processors notify the controller without undue delay - and do NOT perform a 'risk to rights and freedoms' assessment

Article 33(3)

Core content the notification must contain

Article 33(4)

Allows phased notification where all information is not yet available

Article 33(5)

Keep a register of all breaches (notified and not notified); no long-stop date, enabling retrospective regulator review

Key terms - quick answers

What is “Article 33”?

Requires controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware, unless it is unlikely to risk rights and freedoms.

What is “72-hour rule”?

The outer limit for notifying the regulator: without undue delay and, where feasible, within 72 hours of the controller becoming aware of the breach.

What is “Awareness”?

A controller is 'aware' (WP29) when it has a reasonable degree of certainty that a security incident has occurred leading to personal data being compromised.

What is “Phased notification”?

Providing breach information to the regulator in stages where the full picture is not yet clear, rather than delaying notification.