Artifact GuideEU GDPR

GDPR Breach Notification 72-hour workflow

A practical Article 33 and Article 34 workflow for deciding when the 72-hour supervisory-authority clock starts, what to include in the notice, and when affected people need clear high-risk communication.

Use it to align incident response, privacy, legal, DPO, security, processor-management, and evidence owners around awareness, risk assessment, phased updates, delay reasons, and breach logs.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under GDPR Article 33, a controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to create risk for people. Article 34 adds a separate data-subject communication duty when the breach is likely to result in high risk. This guide turns those duties into an incident workflow without adding unsupported national procedures.

Section 1

Start the 72-hour clock from controller awareness

Do not start the clock from a vague security alert alone. EDPB Guidelines 9/2022 treat a controller as aware when it has a reasonable degree of certainty that a security incident has occurred and has led to personal data being compromised.

The initial investigation should begin as soon as possible and should be short. Once awareness exists, the controller should assess risk, contain the incident, and prepare the supervisory-authority notification where Article 33 is triggered.

  • Record the first alert time, the investigation start time, and the time the controller reached reasonable certainty that personal data was compromised.
  • Classify the incident as confidentiality, integrity, availability, or a combination of breach types.
  • Escalate to privacy, security, legal, the DPO or Article 33 contact point, processor-management, and communications owners as soon as personal data involvement is plausible.
  • If the incident is not a personal data breach, document why and keep the supporting technical facts.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 33 sets the controller notification duty and the 72-hour benchmark after awareness.
EDPB Guidelines 9/2022 on personal data breach notification
The guidelines explain awareness as reasonable certainty that a security incident led to compromised personal data and distinguish preliminary investigation from later detailed investigation.
Section 2

Apply the Article 33 risk threshold before notifying

Article 33 notification is required unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. That is a lower threshold than Article 34 communication to affected people.

Risk assessment should focus on the actual breach facts, not only the pre-incident DPIA. Consider breach type, data sensitivity and volume, ease of identifying people, likely severity and permanence of consequences, vulnerable people, the controller's role, and the number of affected people.

  • Notify the supervisory authority when risk to people is likely; do not wait for exact counts if approximate figures are available.
  • Document a non-notification decision when the breach is unlikely to create risk, including the facts that make the breached data unintelligible, recoverable, or otherwise low risk.
  • Reassess if facts change, such as later evidence that encryption keys, credentials, backups, or exfiltration indicators were compromised.
  • For cross-border processing, identify the lead supervisory authority where the one-stop-shop applies; if there is doubt, the EDPB guidance says to notify at least the local authority where the breach took place.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 33 requires notice unless the breach is unlikely to create risk, and Articles 55 and 56 frame competent and lead supervisory authority concepts.
EDPB Guidelines 9/2022 on personal data breach notification
The guidelines list breach-risk factors and explain cross-border notification routing at a principles level.
EDPB - Notify a data breach
The EDPB breach-notification page summarizes that controllers notify the relevant DPA except for breaches unlikely to present risk, and points users to DPA notification procedures.
Section 3

Prepare the supervisory-authority notice and delay reasons

The Article 33 notice should be useful even when the incident is still under investigation. GDPR permits phased notification when all information cannot be provided at the same time, but later information must follow without undue further delay.

If notification is not made within 72 hours after awareness, the notice must include reasons for the delay. Keep the reason specific: for example, forensic uncertainty, bundled similar breaches over a short period, or missing affected-record estimates.

  • Describe the nature of the breach, including affected categories and approximate numbers of data subjects and personal data records where possible.
  • Provide the DPO or other contact point for follow-up information.
  • Describe likely consequences for affected people, including identity theft, fraud, financial loss, confidentiality loss, service unavailability, or other concrete effects where supported by facts.
  • Describe measures already taken or proposed to contain, recover, mitigate, and prevent similar breach effects.
  • State whether the first notice is phased, what information remains open, and when follow-up updates are expected.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 33(3) lists minimum supervisory-authority notice content, Article 33(4) permits phased information, and Article 33(1) requires reasons for late notice.
EDPB Guidelines 9/2022 on personal data breach notification
The guidelines explain that precise figures are not a barrier to timely notice and recommend telling the authority when details will follow.
Section 4

Escalate processor breaches to the controller without undue delay

A processor that becomes aware of a personal data breach in processing performed for a controller must notify the controller without undue delay. The processor does not decide whether Article 33 supervisory-authority notification is required; the controller makes that risk assessment after becoming aware.

Processor contracts and incident playbooks should therefore define early escalation, facts to provide in phases, affected-controller mapping, and authority to notify on the controller's behalf only where the controller has authorized it.

  • Require processor escalation when the processor has established that a breach occurred, even if the risk assessment is incomplete.
  • Ask for incident timeline, affected systems, personal data categories, affected controller services, containment status, backup or recovery facts, and whether other controllers are affected.
  • Treat the controller as generally aware once the processor informs it of the breach, then run the controller's Article 33 and Article 34 assessment.
  • If a processor serves multiple controllers affected by the same incident, require separate notice details for each affected controller.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 33(2) requires the processor to notify the controller without undue delay after becoming aware of a personal data breach.
EDPB Guidelines 9/2022 on personal data breach notification
The guidelines clarify that processors need not assess risk before notifying the controller and may provide details in phases.
Section 5

Send Article 34 notices when the breach is likely high risk

Data-subject communication is required when the breach is likely to result in a high risk to the rights and freedoms of natural persons. This threshold is higher than the supervisory-authority notification threshold, so not every Article 33 notification requires Article 34 communication.

When Article 34 applies, the communication should be direct, clear, and useful for the affected person. It should explain the breach, the contact point, likely consequences, measures taken or proposed, and practical steps the person can take to protect themselves.

Does every GDPR breach notification to a supervisory authority require notifying affected people?

No. Article 33 supervisory-authority notification is required unless the breach is unlikely to create risk for people. Article 34 communication to affected people is triggered only when the breach is likely to result in high risk.

Can a controller wait for the supervisory authority before warning affected people?

Not when prompt communication is needed to reduce high risk. EDPB Guidelines 9/2022 say notifying the supervisory authority is not a justification for failing to communicate with data subjects where Article 34 requires it.

  • Use dedicated breach messages rather than burying notice in newsletters, routine account updates, or generic blog posts.
  • Choose channels likely to reach affected people, and avoid a channel compromised by the breach if attackers could impersonate the controller there.
  • Communicate without undue delay when immediate steps, such as credential resets, fraud monitoring, or account protection, can reduce harm.
  • Document any Article 34(3) reason for not communicating directly, such as effective pre-breach protection that rendered data unintelligible, later measures removing the high risk, or disproportionate effort requiring an equally effective public communication.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 34 requires data-subject communication for likely high-risk breaches and specifies clear-language content and exceptions.
EDPB Guidelines 9/2022 on personal data breach notification
The guidelines explain the higher Article 34 threshold, direct communication methods, and practical protection objective.
Section 6

Maintain an evidence log for every personal data breach

Article 33(5) requires the controller to document any personal data breach, including facts, effects, and remedial action, so the supervisory authority can verify compliance. This applies even when the breach is not notified.

The log should support later reconstruction of the 72-hour clock and risk decisions. It should show what the controller knew, when it knew it, why notice was or was not sent, and how follow-up facts changed the assessment.

What should a GDPR 72-hour breach log prove?

It should prove the awareness timestamp, the Article 33 risk decision, the supervisory-authority notice or non-notification rationale, any delay reason, the Article 34 high-risk decision, communications sent, and remedial action taken.

Do non-notifiable GDPR personal data breaches still need records?

Yes. Article 33(5) requires documentation of personal data breaches, and EDPB Guidelines 9/2022 encourage an internal breach register regardless of whether notification is required.

  • Keep incident facts: alert source, awareness time, systems, data categories, affected people and records, breach type, root cause, containment, and recovery.
  • Keep decision evidence: Article 33 risk assessment, Article 34 high-risk assessment, non-notification rationale, delay reasons, phased-update plan, and authority or data-subject communications.
  • Keep processor evidence: processor notice, controller receipt time, affected services, missing facts, follow-up updates, and whether the processor was authorized to submit anything for the controller.
  • Keep remedial evidence: password resets, revoked credentials, restored backups, deletion or return assurances from recipients, monitoring, notices sent, and post-incident control changes.
  • Keep DPO or contact-point involvement where applicable, because Article 33 notice content includes the DPO or another contact point.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Article 33(5) requires breach documentation covering facts, effects, and remedial action.
EDPB Guidelines 9/2022 on personal data breach notification
The guidelines recommend documenting notification reasoning, non-notification justification, delayed notice reasons, and evidence of data-subject communications.
Recommended next step

Use this workflow to align legal, security, DPO, processor, and communications teams

Sorena can turn the Article 33 and Article 34 requirements on this page into a cited breach log, processor escalation checklist, supervisory-authority notice draft, high-risk data-subject communication checklist, and follow-up evidence tracker.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about the 72-hour clock, Article 33 notice content, processor escalation, Article 34 high-risk communication, and breach documentation.

Explore next step
Talk to Sorena
Talk through implementation

Review your GDPR breach-notification workflow, source gaps, and evidence log design with Sorena.

Explore next step
Primary sources

References and citations

EDPB - Notify a data breach
edpb.europa.eu
Referenced sections
  • The EDPB breach-notification page summarizes that controllers notify the relevant DPA except for breaches unlikely to present risk, and points users to DPA notification procedures.
"except for those unlikely to present any risk"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Article 33(5) requires breach documentation covering facts, effects, and remedial action.
"document any personal data breaches"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.