GDPR Breach Notification: 72-Hour Timeline & Data Protection Authority Reporting
What you need to know: GDPR Breach Notification: 72-Hour Timeline & Data Protection Authority Reporting
GDPR Article 33 requires you to notify data protection authorities of a personal data breach within 72 hours of becoming aware. This guide explains what counts as a breach, when the clock starts, who to notify, and what to include.
GDPR Article 33 requires every organisation to notify data protection authorities (DPAs) of a personal data breach "without undue delay and, where feasible, not later than 72 hours after having become aware of" the breach. This is a hard legal deadline. Missing it incurs fines of up to €10 million or 2% of annual global turnover.
This guide explains what counts as a breach, when the 72-hour clock starts, who to notify, and what to include in your notification.
The Law: GDPR Article 33(1)
"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, notify the personal data breach to the supervisory authority unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."
Key points:
- The 72-hour clock starts the moment your organisation becomes aware of the breach — not when you finish investigating.
- Notification is mandatory unless the breach is "unlikely to result in a risk to the rights and freedoms of natural persons."
- The recipient is the supervisory authority — the national Data Protection Authority (DPA) in the jurisdiction(s) where affected individuals are located.
- Failure to notify incurs fines under Article 83(4): up to €10 million or 2% of annual revenue (whichever is higher).
What Counts as a Data Breach?
GDPR Article 4(12) defines a personal data breach as:
"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised or accidental disclosure of, or access to, personal data transmitted, stored or otherwise processed."
In plain terms: a breach is any event where personal data is compromised — exposed to unauthorised parties, lost, deleted, or altered without authorisation.
Examples That Require 72-Hour Notification
- Ransomware attack encrypting customer databases
- Hacked employee account that exposed customer data
- Misconfigured cloud storage bucket exposing a customer list
- Unencrypted laptop with customer data stolen from a parked car
- Insider data leak from an employee with database access
- Successful phishing attack resulting in credential theft and data access
- Third-party vendor breach affecting your customer data
Examples That May Not Require Notification (Low-Risk)
- Failed access attempt with no actual breach confirmed
- Loss of encrypted data where the encryption key is not compromised
- Technical incident with no evidence of actual data access or exfiltration
The test: Is there a realistic risk to individuals' rights or freedoms? If yes — notify. If no — you may skip DPA notification, but document your reasoning in writing.
The 72-Hour Timeline: When Does It Start?
The clock starts the moment your organisation becomes aware of the breach, not when:
- You finish investigating the incident
- You patch the vulnerability
- You contact affected individuals
- Legal counsel approves the notification
- Your CEO signs off
Real-World Timeline Examples
Example 1 — Ransomware Attack
- 09:00: Security team detects unusual encrypted files on a production server
- This is "awareness" — the clock starts now
- Deadline: 09:00 three days later (72 hours)
- Action: Notify the DPA by that deadline — do not wait for the forensic report
Example 2 — Third-Party Vendor Breach
- 15:00: Your vendor sends an urgent email: "We discovered a breach affecting your customer data"
- Awareness begins when you read or receive the notification
- Deadline: 15:00 three days later
- Action: Submit a preliminary notification even before you have full details
Example 3 — Discovered During Audit
- Audit team discovers that customer data was exposed for the previous 13 days
- Awareness: the moment of discovery, not the start of the exposure period
- Deadline: 72 hours from discovery
- Action: Notify DPA immediately; the exposure period is relevant context, not the clock start
Who Do You Notify? The Data Protection Authority (DPA)
Each EU and EEA country has a supervisory authority (Data Protection Authority) responsible for GDPR enforcement. You must notify the DPA in each jurisdiction where affected individuals reside.
| Country | DPA Name | Notification Contact | |---------|----------|---------------------| | Austria | Österreichische Datenschutzbehörde | [email protected] | | Belgium | Autorité de protection des données | Report via online form (apd-gba.be) | | Bulgaria | Commission for Personal Data Protection | [email protected] | | Croatia | Agencija za zaštitu osobnih podataka | [email protected] | | Cyprus | Commissioner for Personal Data Protection | [email protected] | | Czech Republic | Úřad pro ochranu osobních údajů | [email protected] | | Denmark | Datatilsynet | [email protected] | | Estonia | Andmekaitse Inspektsioon | [email protected] | | Finland | Tietosuojavaltuutetun toimisto | [email protected] | | France | Commission Nationale de l'Informatique et des Libertés (CNIL) | Report via online portal (cnil.fr) | | Germany | Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) | Report via online portal (bfdi.bund.de) | | Greece | Hellenic Data Protection Authority | [email protected] | | Hungary | Nemzeti Adatvédelmi és Információszabadság Hatóság | [email protected] | | Ireland | Data Protection Commission | Report via online portal (dataprotection.ie) | | Italy | Garante per la Protezione dei Dati Personali | Report via online form (garanteprivacy.it) | | Latvia | Datu valsts inspekcija | [email protected] | | Lithuania | Valstybinė duomenų apsaugos inspekcija | [email protected] | | Luxembourg | Commission Nationale pour la Protection des Données | [email protected] | | Malta | Office of the Information and Data Protection Commissioner | [email protected] | | Netherlands | Autoriteit Persoonsgegevens | Report via online portal (autoriteitpersoonsgegevens.nl) | | Poland | Prezes Urzędu Ochrony Danych Osobowych | Report via online portal (uodo.gov.pl) | | Portugal | Comissão Nacional de Proteção de Dados | [email protected] | | Romania | Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal | Report via online form | | Slovakia | Úrad na ochranu osobných údajov | [email protected] | | Slovenia | Informacijski pooblaščenec | [email protected] | | Spain | Agencia Española de Protección de Datos | Report via online platform (aepd.es) | | Sweden | Integritetsskyddsmyndigheten | Report via online form (imy.se) | | UK | Information Commissioner's Office (ICO) | Report via online portal (ico.org.uk) |
Rule: If your breach affects individuals in multiple jurisdictions, you must notify every relevant DPA. A breach affecting customers in Germany and France requires separate notifications to BfDI and CNIL.
What Your DPA Notification Must Include
GDPR Article 33(3) specifies the minimum content:
I. Incident Details
- Date and time breach was discovered
- Date and time breach occurred (if known)
- Categories of personal data affected (names, emails, financial data, health data, etc.)
- Approximate number of affected individuals
- Approximate number of records affected
II. Description of the Breach
- What happened (ransomware, misconfigured database, stolen credentials)
- How the breach was discovered
- Whether the vulnerability has been remediated
III. Likely Consequences for Affected Individuals
- Identity theft risk
- Financial fraud risk
- Discrimination risk (particularly for sensitive data categories)
IV. Measures Taken
- Forensic investigation status and timeline
- Containment measures implemented
- Notification to affected individuals (or timeline for this)
- Root cause analysis findings
- Preventive measures implemented or planned
V. DPO Contact
- Name, email, phone of your Data Protection Officer (if appointed)
- Incident contact for DPA follow-up
Important: You do not need to have completed the investigation before notifying. Submit preliminary information within 72 hours and provide updates as the investigation progresses.
Step-by-Step: How to Notify Your DPA
Step 1 — Assess the breach (within hours of discovery)
Confirm a breach has occurred and is not a false alarm. Identify affected data categories and the number of individuals. Determine which EU countries those individuals reside in.
Step 2 — Identify the relevant DPA(s)
Consult the table above. For multiple jurisdictions, prepare separate notifications for each DPA. Each has its own submission procedure — check their website.
Step 3 — Prepare a preliminary notification
You do not need forensic certainty to notify. Describe what you know at 72 hours, even if incomplete: "As of [date/time], we have identified unauthorised access to customer email addresses. Investigation is ongoing and we will provide a full forensic report by [date]."
Step 4 — Submit to DPA(s) by the deadline
Send your notification via the DPA's specified channel (online form or email). Keep proof of submission — the receipt, email timestamp, or portal confirmation.
Step 5 — Ongoing communication
Update the DPA as your investigation progresses. Provide forensic findings within 2–4 weeks. Respond promptly to any DPA requests for additional information.
Article 34: Notification to Affected Individuals
DPA notification (Article 33) is a separate obligation from individual notification (Article 34).
Article 34 requires you to notify affected individuals "without undue delay" when a breach is likely to result in a high risk to their rights and freedoms. You do not have to notify individuals if:
- The data was fully encrypted and the encryption key was not compromised
- You have taken subsequent measures that effectively eliminate the risk
- Notification would require disproportionate effort (in which case you must make a public communication instead)
Individual notifications must describe the breach, its likely consequences, the measures taken, and your DPO contact details.
Common Mistakes
Waiting for the investigation to complete before notifying. The 72-hour clock starts at discovery. Notify early with preliminary information and update later.
Only notifying your home-country DPA. You must notify every DPA in every jurisdiction where affected individuals reside.
Deciding unilaterally that the risk is low without documenting your reasoning. Document your low-risk assessment in writing. Even low-risk breaches usually warrant DPA notification.
Sending a generic breach notice instead of DPA-specific information. Each DPA may have slightly different notification requirements and forms. Check the official portal for each country.
Preparing Now: Your Breach Readiness Checklist
- Designate an incident response team (security, legal, compliance, communications)
- Document your data inventory: what personal data you hold, where it's stored, how long you keep it
- Write incident response procedures: how to detect, contain, and investigate breaches
- Configure logging and monitoring so you know when a breach occurs
- Identify your relevant DPAs based on your customer and employee geographies
- Pre-draft DPA notification templates for each relevant jurisdiction
- Brief your executive team on the 72-hour requirement and decision authority
- Set up escalation procedures so any confirmed breach triggers immediate notification
- Run a tabletop exercise at least annually
Key Takeaways
- The 72-hour clock starts at discovery, not at investigation completion. Notify the DPA with preliminary information immediately.
- Notify every relevant DPA — one per country where affected individuals reside.
- Notification is mandatory unless the breach is low-risk — document your assessment if you decide not to notify.
- Your notification must include the nature of the breach, affected data categories, likely consequences, and measures taken.
- Failure to notify on time incurs fines of up to €10 million or 2% of annual revenue, plus reputational and regulatory consequences.
- Prepare now — build your incident response procedures before a breach happens, not during one.
For informational purposes only. This article does not constitute legal advice. Consult your Data Protection Officer, legal counsel, or a GDPR compliance specialist for advice specific to your organisation.
Key takeaways: GDPR Breach Notification: 72-Hour Timeline & Data Protection Authority Reporting
This article covers: The Law: GDPR Article 33(1), What Counts as a Data Breach?, The 72-Hour Timeline: When Does It Start?.
- The Law: GDPR Article 33(1)
- What Counts as a Data Breach?
- The 72-Hour Timeline: When Does It Start?
- Who Do You Notify? The Data Protection Authority (DPA)
- What Your DPA Notification Must Include
EuroComply Editorial Team
EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.
For informational purposes only. Consult qualified legal counsel.
Get the weekly EU compliance briefing — 2 minutes, every Thursday.
Related Regulation
GDPR
Official EuroComply guide to GDPR