CIPP/E Study Guide
Ch 10.3-10.3.1 - Breach notification overview & definition

Risk reporting and the meaning of 'personal data breach'

Article 33 requires notifying the regulator and Article 34 requires communicating to data subjects - both only where there is risk (or high risk) to rights and freedoms. This is essentially a risk-reporting / transparency mechanism. A personal data breach (Article 4(12)) is 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to' personal data. It must be an actual breach causing an actual negative outcome - mere risks are not caught - but security controls do not need to be overcome, so an absence of controls still counts.

Article 33 makes controllers notify data protection authorities, and Article 34 is a parallel duty to communicate with affected people - each only where the breach involves risks to the rights and freedoms of individuals. The reporting is a transparency / risk reporting mechanism. Benefits include mitigating loss (people can protect themselves), helping understand causes of failure, and giving regulators the information they need to supervise. The GDPR breach regime is not the first in EU law - the 2009 amendment to the ePrivacy Directive created one for electronic communications providers, and the NIS Directive did so for critical infrastructure, online platforms and cloud services.

Article 4(12) defines a personal data breach as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to' personal data. Note it does not map perfectly onto Article 5(1)(f): for instance, Article 5(1)(f) does not mention alteration, whereas Article 4(12) does.

  • A breach must be an actual breach of security that actually leads to a negative outcome - mere risks of a breach are not caught (unlike the security principle, which also targets risks)
  • But security controls do not have to be overcome for a breach to occur - so a breach caused by an absence of controls is still covered, closing a potential loophole
  • A controller cannot escape Articles 33/34 by deliberately not implementing security controls
Definition gotcha

A personal data breach requires an actual negative outcome, not just a risk. But you do not need controls to have been 'defeated' - a breach from having no controls at all still counts.

Key terms - quick answers

What is “Personal data breach”?
Article 4(12): a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
What is “Risk reporting”?
The idea that breach notification/communication is a transparency mechanism applying only where a breach involves risks to individuals' rights and freedoms.
What is “Rights and freedoms”?
The interests of individuals (e.g. against identity theft, distress, financial loss) whose risk level triggers Article 33/34 obligations.