Incident PlaybookEU

EU GDPR 72-hour Breach Notification

Breach notification under GDPR depends on timekeeping discipline, risk logic, and evidence quality.

Use controller awareness, phased notifications, and Article 34 exception analysis to keep the workflow defensible.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

GDPR breach response works only if controller and processor obligations are separated clearly and the timeline is documented from the first signal forward. The processor must notify the controller without undue delay. The controller then decides whether the incident is a personal data breach, whether it is likely to result in a risk to rights and freedoms, whether supervisory-authority notification is required within 72 hours, and whether Article 34 communication to affected individuals is necessary. The evidence file has to show that logic, not just the final conclusion.

Section 1

1) Classification and controller awareness

The 72-hour clock is tied to controller awareness, so the workflow needs a precise awareness rule and a record of who made the call.

Do not confuse first suspicion, processor escalation, and controller awareness.

  • Define the minimum fact pattern for awareness and record it in the incident log.
  • Record when the processor informed the controller and what information was available at that point.
  • Separate confidentiality, integrity, and availability impacts so risk can be assessed consistently.
  • Preserve the evolving incident timeline because phased notifications are expressly allowed when all facts are not yet available.
Section 2

2) Article 33 supervisory-authority notification

Notification is required unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

That means the controller needs a repeatable risk rubric, not an improvised legal debate.

  • Assess categories of personal data, number of affected individuals, ease of identification, likely consequences, and the effectiveness of technical mitigations such as encryption.
  • If notification is required, capture the nature of the breach, likely consequences, measures taken, and the contact point for follow-up.
  • If complete information is not yet available, send the initial notification and supplement it without undue delay.
  • If the controller decides not to notify, keep the written rationale as part of the breach register.
Recommended next step

Turn EU GDPR 72-hour Breach Notification into an operational assessment

Assessment Autopilot can take EU GDPR 72-hour Breach Notification from operationalizing response workflows and review cycles to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU GDPR 72-hour Breach Notification

Start from EU GDPR 72-hour Breach Notification and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU GDPR

Review your current process, evidence gaps, and next steps for EU GDPR 72-hour Breach Notification.

Explore next step
Section 3

3) Article 34 communication to individuals

Article 34 is about likely high risk, which is a narrower and more serious threshold than Article 33 risk.

You need explicit reasoning for both the communication decision and any exception relied upon.

  • Document whether the breach creates likely high risk, for example fraud, identity theft, discrimination, or safety impact.
  • Check the Article 34 exceptions, including effective technical protection, measures that remove the high risk, or disproportionate effort paired with public communication.
  • Prepare plain-language templates that explain the breach, the likely consequences, and the steps individuals should take.
  • Keep the approval chain and the communication channel log as part of the incident evidence pack.
Section 4

4) Processor, vendor, and sub-processor readiness

Many breach failures are really Article 28 failures. The processor contract does not just allocate risk, it determines how fast the controller can make a lawful notification decision.

Make the breach workflow visible in vendor diligence and contracts.

  • Require processors to notify without undue delay and provide structured facts, not generic alerts.
  • Define escalation routes, named contacts, and evidence items expected from processors and sub-processors.
  • Align incident-reporting clauses with the controller breach workflow and regulator deadlines.
  • Test the process with key vendors rather than assuming the DPA wording is enough.
Primary sources

References and citations

Related guides

Explore more topics

EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls
An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures.
EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence
An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports.
EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts
Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data.
EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index
A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14).
GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases
A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting.
GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence
A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope.
GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring
A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul.
GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)
A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms.
GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring
A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs).
GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance
A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky.
GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence
A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift.
GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs
A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles.
GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips
A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields.
GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)
A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models.
GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence
A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications.