--- title: "EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records" canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/breach-notification-workflow" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/breach-notification-workflow" author: "Sorena AI" description: "A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU GDPR" - "GDPR breach notification" - "personal data breach" - "Article 33" - "Article 34" - "72-hour notification" - "supervisory authority" - "data subject notification" - "GDPR" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records. *Artifact Guide* *EU* ## EU GDPR Breach Notification Workflow Use this workflow when a suspected security incident may involve personal data and the team needs to decide whether Article 33 or Article 34 notification is required. The workflow covers detection, triage, the awareness clock, controller and processor roles, authority notification, data subject communication, evidence, and post-incident records. This EU GDPR breach notification workflow turns a suspected security incident into a documented Article 33 and Article 34 decision. It starts with breach recognition and containment, then records when the controller became aware, the risk assessment, role handoffs, notification content, communication to affected people when required, and the final breach file. ## 1. Detect and triage the incident Open the workflow when monitoring, support, a processor, a third party, a user report, or an internal team flags an incident that may involve personal data. The first triage question is not whether the incident is embarrassing or severe; it is whether there has been a breach of security involving personal data. Classify the event as a suspected confidentiality, integrity, availability, or combined breach. GDPR Article 4(12) covers accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The EDPB also distinguishes personal data breaches from security incidents that do not involve personal data. - Capture the first alert: reporter, time received, affected system, data set, processor or supplier involved, and immediate containment action. - Decide whether personal data was transmitted, stored, or otherwise processed in the affected environment. - Classify the suspected breach type: confidentiality, integrity, availability, or a combination. - Start containment in parallel with assessment: isolate affected accounts or systems, preserve logs, stop further disclosure, and restore access where availability is affected. - Escalate to the incident owner, privacy or legal owner, security owner, DPO or privacy contact, and affected product or operations owner. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Defines personal data, controller, processor, and personal data breach, including the Article 4(12) breach definition used for initial triage. - [EDPB Guidelines 9/2022 on personal data breach notification under GDPR](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - Explains breach types, distinguishes security incidents from personal data breaches, and recommends incident processes for detection, escalation, containment, risk assessment, notification, and documentation. ## 2. Set the awareness clock and role handoffs Record the point when the controller has a reasonable degree of certainty that a security incident has occurred and personal data has been compromised. That is the awareness point for the Article 33 notification clock. A short initial investigation can happen before awareness, but it should begin as soon as possible and should not become an open-ended forensic delay. If a processor discovers a personal data breach while processing on behalf of a controller, the processor notifies the controller without undue delay. The controller then assesses risk and decides whether to notify the supervisory authority or affected data subjects. Joint controllers should already have an arrangement that allocates who leads Article 33 and Article 34 duties. - Record suspected incident time, discovery time, escalation time, processor-to-controller notice time, and controller awareness time. - If the incident came from a processor, require the facts available to the processor now and further updates in phases as details mature. - If the processing is jointly controlled, identify the controller responsible for authority notification and data subject communication under the joint-controller arrangement. - If the controller is not established in the EEA but GDPR Article 3 applies, check EDPB guidance because the one-stop-shop mechanism may not be available for breach notification. - Do not wait for perfect numbers before making the notification decision; document estimates and plan phased updates when the facts are incomplete. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33 sets the controller notification duty, 72-hour timing from awareness, processor notice duty, phased information, and breach documentation requirement. - [EDPB Guidelines 9/2022 on personal data breach notification under GDPR](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - Defines the controller awareness point as reasonable certainty, explains short initial investigation, processor notice, phased updates, and notification routing for cross-border or non-EEA establishment cases. - [EDPB Guidelines 07/2020 on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en?ref=sorena.io) - Supports role allocation by explaining controller, processor, and joint-controller responsibilities, including that joint-controller arrangements should cover breach notification obligations. ## 3. Assess risk and decide who must be notified The authority notification threshold and the data subject communication threshold are different. Notify the competent supervisory authority unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Communicate to affected data subjects when the breach is likely to result in a high risk to their rights and freedoms. Assess the real breach facts, not only the generic DPIA scenario. Consider the breach type, sensitivity and volume of data, ease of identifying people, severity and permanence of consequences, affected vulnerable groups, the controller's context, number of affected people, encryption or other protections, backup availability, and whether the data is now in the hands of an unknown or malicious actor. - Low or no-risk rationale: document why the breach is unlikely to result in risk, and keep the breach record even if no authority notification is made. - Authority notification: prepare Article 33 notification when risk to rights and freedoms is likely, including delayed-notification reasons if the 72-hour window cannot be met. - Data subject communication: prepare Article 34 communication when high risk is likely, using clear and plain language and practical steps affected people can take. - Reassessment trigger: reopen the decision if encryption keys are later compromised, new exfiltration evidence appears, restoration takes longer than expected, or affected categories change. - Decision owner: legal or privacy owns the notification threshold; security owns technical facts; product, support, HR, or operations owns affected-person facts and communication channels. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 33 and 34 provide the notification thresholds for supervisory authorities and data subjects, and Article 34 lists conditions where direct data subject communication is not required. - [EDPB Guidelines 9/2022 on personal data breach notification under GDPR](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - Provides risk and high-risk assessment factors, including breach type, data sensitivity, identifiability, severity, vulnerable individuals, controller context, and number of affected people. ## 4. Notify the supervisory authority when Article 33 applies When Article 33 notification is required, prepare the authority notice from the breach record rather than a separate narrative. GDPR Article 33(3) requires the nature of the breach, affected categories and approximate numbers where possible, DPO or contact details, likely consequences, and measures taken or proposed to address the breach and mitigate adverse effects. For cross-border processing, the EDPB explains that the controller should notify the lead supervisory authority. If there is doubt about the lead authority, the controller should at least notify the local supervisory authority where the breach took place. For controllers with no EEA main establishment in relevant cases, the EDPB explains that the breach may need notification to every supervisory authority for affected data subjects in their Member State. - Minimum notification contents: breach nature, affected data subject categories, approximate affected-person count, affected record categories, approximate record count, contact point, likely consequences, remediation, and mitigation. - Use phased notification when exact figures, root cause, or full impact is unavailable within the initial window. - If the notification is later than 72 hours after awareness, include the documented reason for delay. - If a processor caused or detected the issue, include the processor facts needed to explain the incident without shifting the controller's legal responsibility. - Update the authority when follow-up investigation materially changes the facts, risk level, affected scope, or remediation plan. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33(3) and 33(4) specify the minimum information for supervisory-authority notification and allow phased information when it cannot be provided at the same time. - [EDPB data breach notification routing page](https://www.edpb.europa.eu/notify-data-breach_en?ref=sorena.io) - EDPB page summarising DPA notification routing: relevant DPA except unlikely-risk breaches, lead DPA for cross-border processing, and no one-stop-shop for controllers without an EEA main establishment. - [EDPB Guidelines 9/2022 on personal data breach notification under GDPR](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - Explains phased notification, delayed-notification reasons, cross-border notification routing, non-EEA establishment cases, and the controller's continuing responsibility. ## 5. Communicate to data subjects when Article 34 applies When the breach is likely to result in high risk, communicate to affected data subjects without undue delay. The communication should be dedicated to the breach, clear, plain, and practical. It should not be hidden inside a newsletter, general product update, or generic security statement. The communication should describe the nature of the breach, provide the DPO or other contact point, describe likely consequences, and explain measures taken or proposed to address the breach and mitigate adverse effects. Choose channels that are likely to reach affected people and avoid using a channel that was itself compromised by the breach. - Prepare separate messages for affected groups when risks or protective steps differ. - Tell people what happened, what categories of their data were affected, what harm is plausible, and what they can do now. - Use direct channels where feasible, such as email, SMS, direct message, or postal communication; use public communication only where Article 34 allows an equally effective measure. - Check language, accessibility, and local context so the affected people can understand the breach and protective steps. - Keep proof of communication content, channel, timing, audience, and any authority guidance considered. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 34 sets the high-risk trigger, required content for data subject communication, and conditions where direct communication is not required. - [EDPB Guidelines 9/2022 on personal data breach notification under GDPR](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - Explains clear and effective data subject communication, direct contact methods, dedicated breach messages, language and accessibility considerations, and compromised-channel cautions. ## 6. Close with evidence, records, and post-incident review Close the workflow only after the breach record explains the facts, effects, remedial action, notification decisions, and reassessment triggers. GDPR Article 33(5) requires controllers to document personal data breaches so the supervisory authority can verify compliance with Article 33. The post-incident review should not rewrite the notification decision to fit the final root cause. Preserve the timeline from first alert through awareness, risk assessment, notification, data subject communication, containment, recovery, and corrective actions. If later facts change the risk assessment, update the record and any authority or data subject follow-up. - Evidence file: alert, triage notes, awareness timestamp, affected data map, role map, processor notices, containment actions, logs preserved, and recovery evidence. - Decision file: risk assessment, high-risk assessment, no-notification rationale if applicable, authority notification copy, delay reasons, phased update plan, and data subject communication decision. - Notification file: submitted authority notice, submission time, authority reference, follow-up updates, data subject message variants, send logs, and public communication evidence if used. - Corrective actions: root cause, control gaps, processor or joint-controller contract changes, monitoring changes, backup or restoration improvements, and owner deadlines. - Reopen triggers: new compromised data, changed affected-person count, key compromise, failed restoration, attacker publication, authority request, or repeated similar breach. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33(5) requires the controller to document breach facts, effects, and remedial action so supervisory authorities can verify compliance. - [EDPB Guidelines 9/2022 on personal data breach notification under GDPR](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - Recommends internal breach registers, documenting reasons for notification decisions, keeping evidence of data subject communication, and involving the DPO throughout breach management. - [ENISA Handbook on Security of Personal Data Processing](https://www.enisa.europa.eu/publications/handbook-on-security-of-personal-data-processing?ref=sorena.io) - Supports security-control and incident-readiness context for personal data processing, including risk-based technical and organisational measures. *Recommended next step* *Placement: before sources* ## Use this workflow to structure breach triage and notification decisions Sorena can help turn a suspected personal data breach into cited decisions, owner assignments, notification drafts, evidence requests, and reusable post-incident records. - [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about Article 33, Article 34, controller and processor roles, awareness timing, and breach records using the cited sources on this page. - [Talk through implementation](/contact.md): Review your breach triage, notification thresholds, authority routing, data subject communication, evidence gaps, and post-incident workflow with Sorena. ## Primary sources - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary legal source for Article 4 breach, controller, and processor definitions; Article 33 supervisory-authority notification; Article 34 data subject communication; and Article 33(5) breach documentation. - Quote: "not later than 72 hours after having become aware of it" - [EDPB Guidelines 9/2022 on personal data breach notification under GDPR](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - Main operational guidance for breach recognition, awareness, processor handoffs, phased notification, cross-border routing, risk and high-risk assessment, data subject communication, and recordkeeping. - Quote: "Guidelines 9/2022 on personal data breach notification under GDPR" - [EDPB Guidelines 07/2020 on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en?ref=sorena.io) - Supports controller, processor, and joint-controller role allocation, including which party leads breach notification obligations. - Quote: "controller, joint controller and processor" - [EDPB data breach notification routing page](https://www.edpb.europa.eu/notify-data-breach_en?ref=sorena.io) - EDPB public routing page for identifying whether to notify the relevant, lead, local, or multiple DPAs. - Quote: "How to notify a data breach to your DPA" - [ENISA Handbook on Security of Personal Data Processing](https://www.enisa.europa.eu/publications/handbook-on-security-of-personal-data-processing?ref=sorena.io) - Security guidance context for risk-based technical and organisational measures that support breach detection, containment, recovery, and post-incident improvement. - Quote: "Security of Personal Data Processing" ## Related Topic Guides - [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives. - [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence. - [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live. - [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data. - [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence. - [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs. - [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence. - [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records. - [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties. - [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence. - [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence. - [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks. - [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required. - [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits. - [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15. - [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records. - [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers. - [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks. - [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records. - [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f). - [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together. - [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence. - [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors. - [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable. - [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures. - [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers. - [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields. - [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required. - [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers. - [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis. - [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence. - [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not. - [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance. - [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers. - [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records. - [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits. - [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability. - [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements. - [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/breach-notification-workflow