GDPR breach notification: the 72-hour rule (Art. 33 & 34)
By ComplyBricks · Last reviewed Jul 12, 2026
A personal data breach under GDPR is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data (Art. 4(12)). When one happens, the clock starts.
Notify the supervisory authority — within 72 hours
Under Article 33, you must notify your competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach — unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
- The 72 hours run from awareness, not from when the breach occurred.
- If you notify late, you must explain the reasons for the delay.
- You can notify in phases if you don't have all the information at once.
What the notification must include
- the nature of the breach, including categories and approximate numbers of data subjects and records affected;
- the name and contact details of your DPO or other contact point;
- the likely consequences;
- the measures taken or proposed to address the breach and mitigate harm.
Tell the affected individuals — when the risk is high
Under Article 34, if the breach is likely to result in a high risk to individuals, you must also communicate it to the affected data subjects without undue delay, in clear language, describing the breach and your mitigation and advice. There are limited exceptions (for example, if the data was encrypted and unintelligible, or you've since neutralised the high risk).
Keep a record
You must document every breach — the facts, effects, and remedial action — regardless of whether it was notifiable. Supervisory authorities can ask to see this record.
Be ready before it happens
Meeting a 72-hour deadline depends on detecting and triaging breaches quickly — which is why an incident-response process and clear roles matter. For the broader obligations, see GDPR compliance for SMBs; note that NIS2 has its own, separate incident-reporting timeline that can apply in parallel.
References
- GDPR — Regulation (EU) 2016/679: Art. 4(12) (definition), Art. 33 (authority notification), Art. 34 (communication to data subjects)
This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.
See how one control satisfies ISO 27001, NIS2 and GDPR at once.
Explore the live demo →