Ch 10.3 - Comparison
Article 33 vs Article 34 - side-by-side comparison
Both Article 33 and Article 34 are risk-reporting duties on the controller, but they differ on who is told, the threshold, the deadline and the content. Article 33 → tell the supervisory authority on a mere risk, within 72 hours. Article 34 → tell data subjects only on a high risk, without undue delay, subject to three exceptions. Master this grid: it is a classic exam comparison.
| Dimension | Article 33 - Supervisory authority | Article 34 - Data subjects |
|---|---|---|
| Who is told | The supervisory authority (DPA) | The affected data subjects |
| Trigger / threshold | Any breach likely to risk rights and freedoms (no notice only if unlikely to risk) | Only a breach likely to result in a high risk to rights and freedoms |
| Deadline | Without undue delay and, where feasible, within 72 hours of awareness | Without undue delay (no fixed 72-hour figure) |
| Content | Nature of breach, categories/approximate numbers of data subjects and records, DPO contact, likely consequences, measures taken/proposed (Art 33(3)) | In clear plain language: nature of the breach, DPO contact, likely consequences, measures taken/proposed |
| Exceptions | Notification not required if breach unlikely to risk rights and freedoms | Three exceptions (Art 34(3)): unintelligible data (encryption); measures removing the high risk; disproportionate effort (use substitute notice) |
| Who does it | Controller (processor notifies the controller under Art 33(2) and does NOT assess risk) | Controller (regulator may also order it under Art 34(4)) |
Don't mix up the deadlines
The 72-hour figure belongs to Article 33 (regulator). Article 34 (data subjects) is simply 'without undue delay'. A common exam trap is attaching '72 hours' to Article 34.
Key terms - quick answers
What is “Supervisory authority”?
The data protection regulator (DPA) that must be notified of qualifying breaches under Article 33.
What is “Data subject”?
The identified or identifiable individual whose data is affected; the recipient of an Article 34 communication.