Skip to content
AuditFront
Art.33 GDPR

GDPR Art.33: Notification of a Personal Data Breach to the Supervisory Authority

What This Control Requires

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

In Plain Language

When a personal data breach happens, you have 72 hours to report it to your supervisory authority. That clock starts the moment you become reasonably certain a breach has occurred - not when the investigation wraps up. The only exception is where the breach is genuinely unlikely to pose any risk to affected individuals, but even then you must document it internally along with your reasoning. Your notification needs to cover specific ground: the nature of the breach (including approximate numbers of people and records affected), your DPO or contact point details, the likely consequences, and the steps you have taken or plan to take. If you cannot gather everything within 72 hours, you can provide information in phases - but that initial notification still needs to go out on time. Processors carry their own obligation here. They must notify controllers without undue delay after discovering a breach. This is a critical link in the chain - if your processor sits on a breach for days, you lose your window. Make sure your data processing agreements include specific notification timeframes that give you enough room to meet the 72-hour deadline.

How to Implement

Build a dedicated incident response plan that covers personal data breaches and GDPR notification requirements. It should walk through breach detection and identification, initial assessment and containment, the notification decision (risk assessment to determine whether reporting is required), supervisory authority notification within 72 hours, data subject notification where there is high risk (Article 34), investigation and remediation, and post-incident review. Set up breach detection across the organisation. Deploy technical monitoring - SIEM systems, intrusion detection, data loss prevention - that can flag potential breaches in real time. Create clear internal reporting channels so staff know exactly where to raise a suspected breach. Train everyone to recognise the signs of a data breach and to report immediately. Remember: the 72-hour clock starts at detection, so speed matters. Develop a breach assessment framework for deciding whether a breach triggers the notification obligation. Not every breach needs reporting - only those likely to pose a risk to individuals. Define criteria covering the type and sensitivity of data affected, volume and number of individuals involved, the nature of the breach (confidentiality, integrity, or availability), whether the data was encrypted, and the realistic likelihood of identification or harm. Prepare notification templates and familiarise your team with the submission process for your supervisory authority. Most authorities offer online breach notification forms. Pre-populate templates with standing details (controller information, DPO contact) so you are not scrambling under time pressure. Decide in advance who has the authority to approve and submit notifications. Keep a breach register that documents every personal data breach, reported or not. Record the facts, the effects, and the remedial actions taken. For breaches you chose not to report, include the risk assessment and reasoning behind that decision. Regulators will ask to see this register during inspections, and a well-maintained one demonstrates genuine accountability.

Evidence Your Auditor Will Request

  • Documented incident response plan covering GDPR breach notification requirements
  • Breach assessment framework with risk criteria for notification decisions
  • Breach register documenting all breaches, assessments, and notification decisions
  • Breach notification templates and submission procedures for the relevant supervisory authority
  • Evidence of staff training on breach detection and reporting

Common Mistakes

  • Exceeding the 72-hour notification deadline due to slow detection, unclear escalation, or approval bottlenecks
  • No breach register maintained, making it impossible to demonstrate compliance during audits
  • Incomplete notifications missing required information elements
  • Processors failing to notify controllers promptly, preventing the controller from meeting the 72-hour deadline
  • No formal risk assessment process for determining whether a breach needs to be reported

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.24 Related
ISO 27001 A.5.26 Related
NIS2 Art.23 Related

Frequently Asked Questions

When does the 72-hour clock start?
It starts when the controller "becomes aware" of the breach. According to EDPB guidance, that means the moment you have a reasonable degree of certainty that a security incident has compromised personal data. You do not need full certainty - once there is enough information to suspect a breach has occurred, the clock is running.
Do we need to report breaches where the data was encrypted?
Possibly not, provided the encryption was strong enough that the data is meaningless to anyone who accessed it without authorisation. But you still need to document the breach and your assessment. If the encryption keys were also compromised, or the encryption was weak, you will likely still need to report. Either way, record the reasoning in your breach register.
What if we cannot provide all required information within 72 hours?
Article 33(4) specifically allows phased notification. Submit what you have within 72 hours, note that further details will follow, and then provide the rest without further undue delay. Regulators much prefer a timely partial notification over a late but complete one.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment