Art.34 GDPR

GDPR Art.34: Communication of a Personal Data Breach to the Data Subject

What This Control Requires

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject referred to in paragraph 1 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

In Plain Language

If a breach is serious enough to put people at real risk, you need to tell them directly. Article 34 sets a higher bar than the supervisory authority notification under Article 33 - you only need to notify individuals when the breach is likely to result in high risk to their rights and freedoms. The whole point is to give people the chance to protect themselves, whether that means changing passwords, watching their bank accounts, or being alert to identity theft. The notification must go out without undue delay and must be written in clear, plain language. Include your DPO or contact point details, a description of the likely consequences, the measures you have taken or plan to take, and practical advice on what individuals can do to protect themselves. There are three situations where you can skip individual notification: you had strong encryption or similar protections in place that render the data unintelligible, you have taken subsequent measures that eliminate the high risk, or individual notification would involve disproportionate effort (in which case you must issue a public communication instead).

How to Implement

Fold data subject notification into your incident response procedures. Your breach assessment process should include a specific step for evaluating whether the Article 34 high-risk threshold is met. Build a decision framework covering the type and sensitivity of data breached, the volume, the number of affected individuals, the severity of potential consequences, and whether any protections like encryption were in place. Prepare notification templates before you need them. When a breach hits, you will not have time to draft from scratch. Templates should cover all required elements: a plain-language description of the breach, DPO contact details, likely consequences, measures taken, and recommended steps for individuals. Have versions ready in all relevant languages and for different channels - email, post, telephone scripts. Plan for multiple communication channels. Email is the obvious first choice, but it may not work if email addresses were part of the compromised data. Have fallback options ready: postal mail, telephone, SMS, and public announcements. For large-scale breaches, consider standing up a dedicated webpage, helpline, or FAQ resource. Document every decision, whether you notify or not. Record the risk assessment, the factors you considered, and your rationale. If you rely on one of the Article 34(3) exceptions (encryption, subsequent measures, or disproportionate effort), spell out exactly why it applies. Regulators will want to see this documentation. Run tabletop exercises that include data subject notification scenarios. Walk through the entire chain from detection to risk assessment to notification delivery. Time the process, find the bottlenecks, and refine your procedures. These exercises reveal problems that only surface under pressure.

Evidence Your Auditor Will Request

Breach assessment framework with criteria for determining high risk to data subjects
Pre-prepared notification templates compliant with Article 34 requirements
Records of breach notifications sent to data subjects, including content and timing
Documentation of risk assessments for all breaches, including decisions not to notify
Evidence of breach notification tabletop exercises or simulations

Common Mistakes

Failing to notify data subjects when the high-risk threshold is met
Delayed notification that prevents data subjects from taking timely protective measures
Notification communications using technical jargon instead of clear and plain language
Not providing practical advice to data subjects on steps they can take to protect themselves
Applying the encryption exception when the encryption was not sufficient to render data unintelligible

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.26	Related
NIS2	Art.23	Related

Frequently Asked Questions

What constitutes 'high risk' requiring notification to data subjects?

Think about breaches involving sensitive data (health, financial, identity documents), large volumes of personal data, or data that could lead to identity theft, financial loss, discrimination, or reputational damage. If the data was unencrypted and the potential consequences are serious, you are almost certainly in high-risk territory. Weigh both the likelihood and severity of potential harm to the individuals affected.

Can we delay notification while we investigate the breach?

A short delay to understand what happened is acceptable, but do not use the investigation as an excuse to sit on it. The standard is "without undue delay". Once you know enough to determine that high risk exists, notify - even if the investigation is still running. You can always send updates as more information comes in.

Does the encryption exception apply if the encryption keys were also compromised?

No. The Article 34(3)(a) exception only works if the data is genuinely unintelligible to anyone who should not have it. If the keys were compromised in the same breach, or the encryption was weak enough to be broken, the exception falls away and you need to notify affected individuals.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment