GDPR Data Breach Notification: 72-Hour Rule Explained (2026)
When a personal data breach occurs, the clock starts immediately. Under the GDPR, data controllers have just 72 hours to notify their supervisory authority after becoming aware of a breach that poses a risk to individuals. Missing that deadline is itself a violation that can trigger significant penalties.
Articles 33 and 34 of Regulation (EU) 2016/679 establish the breach notification framework. The EDPB Guidelines 9/2022 on personal data breach notification provide the authoritative interpretation. This guide covers what counts as a breach, when and how to notify, what to include in notifications, and real enforcement examples.
For the broader regulatory context, see What Is GDPR. For compliance planning, see the GDPR compliance checklist.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your situation.
What Counts as a Personal Data Breach
The GDPR defines a personal data breach in Article 4(12) as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
The European Commission and the EDPB clarify that breaches fall into three categories:
Confidentiality Breach
Unauthorized or accidental disclosure of, or access to, personal data. Examples:
- A hacker gains access to a customer database
- An employee sends personal data to the wrong email recipient
- A laptop containing unencrypted personal data is stolen
- A third-party service provider's systems are compromised, exposing data you shared with them
Integrity Breach
Unauthorized or accidental alteration of personal data. Examples:
- A cyberattack modifies medical records
- A software bug corrupts employee payroll data
- An unauthorized user edits customer account details
Availability Breach
Accidental or unauthorized loss of access to, or destruction of, personal data. Examples:
- A ransomware attack encrypts a database and the organization has no backup
- A server failure permanently destroys personal data
- An employee accidentally deletes records with no recovery option
The ICO guidance on personal data breaches emphasizes that a breach does not need to involve a malicious attack. Accidental loss, human error, and system failures all qualify if personal data is affected.
The 72-Hour Rule: Notification to the Supervisory Authority (Article 33)
When to Notify
Article 33(1) requires controllers to notify the competent supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware of it."
The 72-hour clock starts when the controller becomes "aware" of the breach. The EDPB guidelines clarify what "awareness" means:
- For a breach discovered through your own monitoring systems, awareness starts when the systems detect the incident
- For a breach reported by a data processor, awareness starts when the controller receives the processor's notification (not when the processor first discovered it)
- For a breach reported by an individual or external party, awareness starts when the controller receives credible information indicating a breach has occurred
The Only Exception: No Risk to Individuals
Notification is not required if the breach "is unlikely to result in a risk to the rights and freedoms of natural persons." This is a narrow exception. The EDPB guidelines note that most breaches involving personal data do pose at least some risk. When in doubt, notify.
If You Miss the 72-Hour Window
If notification is not made within 72 hours, Article 33(1) requires the controller to provide a "reasoned justification for the delay." Legitimate reasons for delay include the complexity of the breach, the need to contain the incident before notification, or the scale of an investigation. Not knowing the breach occurred is not itself a justification if the organization should have had detection systems in place.
What the Notification Must Include
Article 33(3) specifies the minimum content:
- Nature of the breach: What happened, including the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records concerned
- Contact point: The name and contact details of the DPO or another point of contact
- Likely consequences: A description of the likely consequences of the breach
- Mitigation measures: The measures taken or proposed to address the breach, including measures to mitigate possible adverse effects
Phased Notification
Article 33(4) permits phased notification. If all required information is not available within 72 hours, you can provide it in phases "without undue further delay." This means you should submit an initial notification with available information within 72 hours and supplement it as the investigation progresses.
How to Notify
The EDPB maintains a directory of breach notification portals for each national supervisory authority. Most DPAs accept notifications through online forms. The controller should notify the supervisory authority in the member state where it has its main establishment, or where the breach most affects data subjects.
Notification to Data Subjects (Article 34)
When Data Subjects Must Be Notified
Article 34(1) requires the controller to communicate the breach to affected data subjects "without undue delay" when the breach "is likely to result in a high risk to the rights and freedoms of natural persons."
The threshold for notifying data subjects is higher than for notifying the supervisory authority. Not every breach requires individual notification. The key question is whether the breach is likely to result in "high risk," which the EDPB assesses based on:
- The nature and sensitivity of the data involved (financial data, health data, ID numbers carry higher risk)
- The volume of data and number of individuals affected
- The likelihood that the data will be used maliciously
- The severity of potential consequences (identity theft, financial loss, discrimination)
What to Tell Data Subjects
The communication must include:
- A clear, plain-language description of the nature of the breach
- The name and contact details of the DPO or another contact point
- A description of the likely consequences
- The measures taken or proposed to address the breach and mitigate its effects
The communication must be made directly to affected individuals unless individual notification would involve "disproportionate effort," in which case a public communication or similar measure is permitted.
When Data Subject Notification Is NOT Required
Article 34(3) provides three exceptions:
-
Encryption or similar protection. The controller implemented appropriate technical measures (such as encryption) that render the data unintelligible to unauthorized persons, and those measures were applied to the data affected by the breach.
-
Subsequent mitigation. The controller took subsequent measures that ensure the high risk is no longer likely to materialize. For example, immediately revoking compromised credentials before any unauthorized use occurred.
-
Disproportionate effort. Individual notification would require disproportionate effort. In this case, a public communication or similar measure that informs data subjects equally effectively is required instead.
Data Processor Obligations
Data processors have their own breach notification obligations. Article 33(2) requires processors to notify the controller "without undue delay" after becoming aware of a breach. The GDPR does not specify a fixed timeframe for processor-to-controller notification, but "without undue delay" is interpreted strictly.
What to Include in Processor Contracts
Data processing agreements under Article 28 should specify:
- The maximum time within which the processor must notify the controller after discovering a breach (many organizations set this at 24 hours or less)
- The information the processor must provide in the notification
- The processor's obligation to assist the controller in meeting its 72-hour deadline and in investigating the breach
- Cooperation requirements for responding to supervisory authority inquiries
The Breach Register (Article 33(5))
Article 33(5) requires controllers to document all personal data breaches, regardless of whether they were reported to the supervisory authority. This internal breach register must record:
- The facts relating to the breach (what happened, when, how)
- The effects of the breach
- The remedial actions taken
- The controller's assessment of risk to individuals
- The rationale for notifying or not notifying the supervisory authority
This register must be available to the supervisory authority on request. It serves as evidence of compliance and provides an audit trail of how the organization responded to each incident.
Real Enforcement Examples
Meta: EUR 251 Million for Breach Handling Failures (2024)
In December 2024, Ireland's DPC fined Meta EUR 251 million following a 2018 data breach where vulnerabilities in Facebook's "View As" feature allowed attackers to steal access tokens for approximately 29 million accounts globally (3 million in Europe). The fine breakdown included EUR 8 million for improper breach notification, EUR 3 million for inadequate documentation, EUR 130 million for poor system design, and EUR 110 million for failing to process only necessary data by default.
Meta: EUR 265 Million for Security Failures (2022)
The DPC fined Meta EUR 265 million for insufficient security measures that led to the scraping of personal data from 533 million Facebook users. The investigation found that Meta had not implemented adequate technical measures to prevent unauthorized data harvesting.
French Hospital: EUR 3.2 Million for Missing 72-Hour Window (2024)
A French hospital was fined EUR 3.2 million after a ransomware attack exposed 500,000 patient records. The fine reflected both inadequate security and failure to notify within the 72-hour window.
Estonia: EUR 3 Million for Loyalty Program Breach (2024)
Estonia's Data Protection Inspectorate fined the operator of the Apotheka loyalty program EUR 3 million after a data breach compromised personal data of over 750,000 individuals.
Building a Breach Response Plan
Organizations that handle breaches well share common characteristics: they have documented plans, trained personnel, and tested procedures before an incident occurs.
Essential Components
Detection capabilities. Implement technical systems to identify breaches quickly: intrusion detection systems, log monitoring, anomaly detection, and security information and event management (SIEM) tools. The faster you detect, the more time you have within the 72-hour window.
Response team. Designate a breach response team with clear roles: incident coordinator, IT/security lead, legal counsel, DPO, and communications lead. Everyone should know their responsibilities before a breach occurs.
Assessment framework. Create a standardized breach assessment template to evaluate the risk to individuals within hours of detection. This template should guide the decision on whether supervisory authority and data subject notification is required.
Notification templates. Prepare draft notification letters for both the supervisory authority and data subjects. Pre-approved templates save critical hours during an actual incident. Customize templates for different breach scenarios (cyber attack, accidental disclosure, lost device).
Escalation procedures. Define when and how to escalate within the organization. Set specific triggers for notifying executive leadership, legal counsel, and external advisors.
Regular testing. Conduct tabletop exercises at least annually. Walk through realistic breach scenarios from detection through notification and remediation. Identify gaps in your plan and address them.
Response Timeline
| Time | Action |
|---|---|
| Hour 0 | Breach detected or reported |
| Hours 0-4 | Initial containment and assessment |
| Hours 4-24 | Investigation, risk assessment, evidence preservation |
| Hours 24-48 | Prepare notification to supervisory authority |
| Hours 48-72 | Submit notification to supervisory authority (or decide notification is not required and document reasoning) |
| Hours 72+ | Continue investigation, consider data subject notification, implement remediation |
More GDPR Guides
- What Is GDPR for a comprehensive overview of the regulation
- GDPR Compliance Checklist for a step-by-step compliance guide
- GDPR Fines and Penalties for enforcement data and the consequences of non-compliance
- GDPR Data Subject Rights for all eight individual rights
- GDPR Consent Requirements for valid consent standards
- GDPR for Small Businesses for SME-specific guidance
- [EU Data Privacy Laws](/world-laws/world-data-privacy-laws/eu-data-privacy-laws) for the complete EU data protection overview
Sources and References
- GDPR Full Text - Regulation (EU) 2016/679(eur-lex.europa.eu).gov
- EDPB Guidelines 9/2022 on Personal Data Breach Notification (v2.0)(edpb.europa.eu).gov
- European Commission - What Is a Data Breach?(commission.europa.eu).gov
- EDPB - Article 33 Breach Notification to Supervisory Authority(edpb.europa.eu).gov
- EDPB - Data Breaches (SME Guide)(edpb.europa.eu).gov
- EDPB - How to Notify a Data Breach to Your DPA(edpb.europa.eu).gov
- ICO - Personal Data Breaches: A Guide(ico.org.uk).gov
- EDPS - Personal Data Breach Notification Guidelines(edps.europa.eu).gov
- EDPB - Security of Processing and Data Breach Notification (One-Stop-Shop Case Digest)(edpb.europa.eu).gov