Module 9 · Data breach notification (Articles 33 and 34)
Article 4(12) defines a personal data breach as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data - including a temporary loss of availability (e.g., a power outage). A processor must tell the controller without undue delay. Under Article 33 the controller notifies the supervisory authority without undue delay and, where feasible, within 72 hours, unless the breach is unlikely to result in a risk. Under Article 34 the controller informs data subjects when the breach is likely to cause a high risk, subject to exceptions.
Article 4(12) defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed." A temporary availability loss (e.g., a power outage making files unavailable) can be a breach.
A processor must inform the controller without undue delay after becoming aware. The clock and risk-test then differ by who is being told:
| Article 33 - Supervisory Authority | Article 34 - Data subjects | |
|---|---|---|
| Who is told | The supervisory authority | The affected data subjects |
| Timing | Without undue delay and, where feasible, within 72 hours of becoming aware (late = give reasons) | Without undue delay |
| Trigger threshold | Required unless the breach is unlikely to result in a risk | Required only when likely to result in a high risk |
| Exceptions | Late notifications must be reasoned; not required if no risk | Not required if: data was protected (e.g., encrypted/unintelligible); subsequent measures mean the high risk is no longer likely; or it would involve disproportionate effort (use a public communication instead) |
- The Article 33 notification describes: the nature of the breach; categories/approximate numbers affected; the DPO contact; likely consequences; and measures taken.
- Risk assessments determine extent and impact; have processes ready for notifying data subjects in a large breach.
72 hours is the SA target under Article 33, not a hard cap - the underlying standard is without undue delay, and late notices must give reasons. Telling data subjects (Article 34) has no 72-hour clock - it is "without undue delay" once a high risk is found.