Article 33

Notification of a personal data breach to the supervisory authority

1.   In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2.   The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3.   The notification referred to in paragraph 1 shall at least:


describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;


communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;


describe the likely consequences of the personal data breach;


describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.   Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5.   The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

What does it mean?

To deal with a personal data breach, the controller must first be able to recognise a breach.

A security breach to the GDPR is a breach leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Only the events leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to personal data are covered by the GDPR’s definition of a personal data breach.

For example, a personal data breach may occur when the controller’s software is not sufficiently secured to allow outsiders to access personal data (e.g. hacking).

However, it may also be the controller’s handling of the personal data itself that may cause a breach, for example, if the controller unauthorisedly discloses or modifies the personal data. 

Another example, the controller may also unlawfully or, as a result of an unanticipated event (e.g. fire or flood), not have access to the personal data or ends up destroying the personal data.

Examples of personal data breaches:

  1. Persons other than the authorised controller(s) have (unauthorised) access to personal data. This can be both persons outside or within the controller’s organisation.
  2. The controller’s employees accidentally modify or delete personal data.
  3. Unauthorised persons may gain access to personal data – e.g. national identification number, credit card details, etc.
  4. Employees may unknowingly or knowingly pass on personal data of one citizen/customer to another citizen/customer – or even to several other persons concerned.
  5. The lack of encryption of the controller’s website, e.g. a customer login, could result in one or more unauthorised persons gaining direct access to the customer’s data.

When a breach is not handled in an appropriate and timely manner, it may cause physical, material or immaterial harm to persons e.g. 

  • a loss of control over their data or restriction of their rights,
  • discrimination, 
  • identity theft or fraud, 
  • financial loss, 
  • unauthorised removal of pseudonymisation, 
  • damage to reputation, 
  • loss of confidentiality of information covered by professional secrecy.

Generally, one must report all personal data breaches to the Data Protection Authority. No notification is required if it is unlikely that the personal data breach risks the rights or freedoms of natural persons.

A risk to the rights and freedoms of natural persons includes:

  • Discrimination.
  • Identity theft or fraud.
  • Financial loss.
  • Damage to reputation.
  • Loss of confidentiality of data confidentiality or any other significant economic or social disadvantage to the data subject.

The controller must assess the likelihood of the breach posing a risk to the rights of the individuals concerned immediately after becoming aware of the breach. 

One should always take the following factors into account in the assessment of the risk to the rights and freedoms of data subjects resulting from a personal data breach:

  • The type of security breach, including whether there has been a loss of data, a breach of confidentiality or a breach of integrity;
  • The nature and extent of the data;
  • The risk that data subjects can be identified;
  • Consequences the breach may have on data subjects;
  • Whether the breach involves specific data subjects (e.g. if children or vulnerable persons);
  • the number of natural persons affected;

The controller shall document all personal data breaches, including the facts of the personal data breach, its effects and the remedial measures taken.

In this context, it is irrelevant whether the controller is obliged to notify the breach to the Data Protection Authority. 

This documentation obligation aims to enable the Data Protection Authority to check whether the obligation to notify certain breaches has been complied with. 

The documentation must contain information about the breach,

including the facts of the breach, its effects and the remedial 

measures. The requirements for documentation can also be as follows.

  • Date and time of the breach
  • What happened during the breach?
  • What is the cause of the breach?
  • Which (types of) personal data are affected by the breach?
  • What are the consequences of the breach for the persons concerned?
  • What remedial measures have been taken?
  • Have you notified the Data Protection Authority?

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.