--- title: "When does the GDPR 72-hour breach notification clock start?" canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock" author: "Sorena AI" description: "GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU GDPR" - "GDPR breach awareness" - "Article 33" - "Article 34" - "72-hour notification" - "supervisory authority" - "processor breach notice" - "GDPR" - "personal data breach" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # When does the GDPR 72-hour breach notification clock start? GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep. *FAQ* *EU GDPR* ## GDPR Breach Awareness Clock The Article 33 supervisory-authority clock starts when the controller has a reasonable degree of certainty that a security incident has caused personal data to be compromised. Use the first alert for triage, but keep a separate awareness record for the point when personal data breach facts become clear enough to trigger the controller's GDPR notification assessment. Under GDPR Article 33, a controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. ## When does the GDPR 72-hour breach notification clock start? Do not start the Article 33 clock from every raw security alert. The EDPB says a controller becomes aware when it has a reasonable degree of certainty that a security incident has occurred and has led to personal data being compromised. That short investigation period is not a pause button. The controller is expected to investigate promptly, establish whether personal data was breached, contain the incident, assess risk to individuals, and notify the supervisory authority if Article 33 is triggered. - Record the first alert, who received it, and why it was or was not immediately enough to establish a personal data breach. - Record the awareness timestamp separately: the point when the controller had reasonable certainty that personal data was compromised. - Assess whether the breach is unlikely to result in a risk to rights and freedoms; if not, prepare supervisory-authority notification without undue delay and, where feasible, within 72 hours after awareness. - Keep the Article 34 high-risk assessment separate from the Article 33 authority notification threshold; communication to data subjects is triggered by likely high risk. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 33](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33 sets the controller's supervisory-authority notification duty, the 72-hour timing after awareness, the risk exception, delayed-notification reasons, processor escalation, phased information, and breach documentation duty. - [EDPB Guidelines 9/2022 on personal data breach notification](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - EDPB guidance explains that awareness requires a reasonable degree of certainty that a security incident occurred and personal data was compromised. ## What should happen when a processor finds the breach first? A processor that becomes aware of a personal data breach affecting personal data processed for a controller must notify the controller without undue delay. The processor does not decide the Article 33 risk threshold for the controller before escalating. Once the processor informs the controller, the controller uses that notice to run the Article 33 assessment and, if required, notify the supervisory authority. The controller keeps legal responsibility for notification even if a processor is authorised to submit a notice on its behalf. - Processor record: when the processor became aware, when it notified the controller, affected services, affected personal data, and facts still unknown. - Controller intake record: when the controller received processor notice, whether that notice gave reasonable certainty of a personal data breach, and who opened the Article 33 assessment. - Contract check: whether the controller-processor arrangement specifies early breach notice, phased updates, and any authority-notification support. - Multi-controller incident check: whether the processor must report details to each affected controller. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 33(2)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33(2) requires processors to notify controllers without undue delay after becoming aware of a personal data breach. - [EDPB Guidelines 9/2022 on personal data breach notification](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - EDPB guidance explains that the processor need only establish that a breach occurred before notifying the controller, while the controller performs the risk assessment. ## What if the controller cannot complete everything within 72 hours? The GDPR allows notification information to be provided in phases when it is not possible to provide all information at the same time. The first notice should say what is known, what is not yet known, and that more information will follow without undue further delay. If the supervisory-authority notification is not made within 72 hours after awareness, Article 33 requires reasons for the delay. Those reasons should be specific to the breach, such as why facts could not be established sooner or why a bundled notification was used for closely related breaches. - Minimum notification content: nature of the breach, affected data-subject and record categories where possible, DPO or contact point, likely consequences, and measures taken or proposed. - Phased-update log: missing facts, owner for each investigation item, next update trigger, and later information sent to the supervisory authority. - Delay record: why notification exceeded 72 hours, when each material fact became available, and why the delay was not excessive. - Bundling check: only group similar breaches over a short period when that gives a meaningful notification; different data or breach types should be assessed separately. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 33(3)-(4)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33 lists minimum notification content and permits phased information where it is not possible to provide all information at the same time. - [EDPB Guidelines 9/2022 on personal data breach notification](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - EDPB guidance explains phased notification, delayed-notification reasons, and the limited use of bundled notifications for similar breaches. ## Which records prove the breach-clock decision? Article 33(5) requires the controller to document personal data breaches, including the facts, effects, and remedial action. The record must allow a supervisory authority to verify compliance with Article 33. Keep records for both notifiable and non-notifiable breaches. If the controller decides not to notify, the record should explain why the breach was unlikely to result in risk to individuals; if data subjects are not told, the record should support the Article 34 high-risk decision or applicable Article 34 condition. - Timeline: first alert, investigation start, awareness point, risk assessment, notification decision, authority submission, phased updates, and closure. - Facts: breach type, cause, affected systems, affected personal data, affected data subjects, known or approximate volumes, and whether data remained intelligible. - Effects and risk: likely consequences, likelihood and severity assessment, high-risk data-subject communication decision, and reviewer approvals. - Remedial action: containment, recovery, mitigation steps, communications sent, processor updates, authority correspondence, and lessons learned. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 33(5)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33(5) requires documentation of personal data breach facts, effects, and remedial action so the supervisory authority can verify Article 33 compliance. - [EDPB Guidelines 9/2022 on personal data breach notification](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - EDPB guidance recommends an internal breach register and documenting reasons for notification, non-notification, delayed notification, and data-subject communication decisions. ## Primary sources - [Regulation (EU) 2016/679 (GDPR), Articles 33 and 34](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary GDPR text for controller notification within 72 hours after awareness, processor notification without undue delay, phased notification, delayed-notification reasons, breach documentation, and data-subject communication for likely high-risk breaches. - Quote: "Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay." - [EDPB Guidelines 9/2022 on personal data breach notification](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - EDPB guidance used for the awareness trigger, prompt investigation, processor escalation, phased and delayed notifications, risk assessment factors, and Article 33(5) recordkeeping. - Quote: "the controller must keep documentation of all breaches" - [EDPB Notify a Data Breach](https://www.edpb.europa.eu/notify-data-breach_en?ref=sorena.io) - EDPB breach-notification routing page that points controllers to national supervisory-authority notification channels without adding national procedural details to this artifact. - Quote: "Notify a Data Breach" ## Topic Guides - [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives. - [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence. - [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live. - [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data. - [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence. - [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs. - [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records. - [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence. - [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records. - [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties. - [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence. - [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence. - [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks. - [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required. - [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits. - [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15. - [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records. - [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers. - [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks. - [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records. - [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f). - [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together. - [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence. - [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors. - [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable. - [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures. - [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers. - [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields. - [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required. - [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers. - [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis. - [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence. - [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not. - [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance. - [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers. - [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records. - [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits. - [GDPR vs EU Data Act: personal data safeguards and source limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act.md): Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability. - [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements. *Recommended next step* *Placement: before sources* ## Use this GDPR FAQ as the control point for breach escalation Sorena can convert the Article 33 clock, processor escalation, delay reasons, phased updates, and Article 33(5) records into a cited breach-response workflow. - [Open Research Copilot for GDPR](/solutions/research-copilot.md): Ask source-linked questions about GDPR breach awareness, supervisory-authority notification, processor escalation, and evidence records. - [Talk through implementation](/contact.md): Review your GDPR personal data breach workflow, notification thresholds, and evidence gaps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock