SimpleAct Logo
GDPR · Art. 33 & 34

Report a data breach – the 72-hour deadline

In the event of a personal data breach, Art. 33 GDPR gives you just 72 hours to notify the supervisory authority. SimpleAct keeps the deadline, risk assessment and reporting chain provably under control.

Start for free View GDPR compliance

What is a notifiable data breach?

A data breach is any security incident leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data – whether through a cyberattack, misdirected email, lost laptop or misconfiguration. As soon as there is a risk to data subjects, the notification duty under Art. 33 applies; for high risk, the communication duty under Art. 34 applies as well.

Obligations in the event of a breach

Notify the authority (Art. 33)
Within 72 hours of becoming aware – unless the breach is unlikely to result in a risk.
Inform data subjects (Art. 34)
Where a high risk is likely, the affected individuals must also be informed without undue delay.
Internal documentation
Every breach must be documented – even if it is not reported (accountability principle).
Risk assessment
The nature and severity of the breach determine whether and whom you must inform – with a documented rationale.

Immediate steps after a data breach

  • Record the incident and the time it became known
  • Scope the affected data, people and systems
  • Take immediate containment measures
  • Assess the risk to the data subjects
  • If there is a risk: notify the authority within 72 hours
  • If high risk: inform data subjects without undue delay
  • Document the incident, assessment and measures in full

72-hour deadline from awareness

The clock starts as soon as you become aware of the breach – not only after full investigation. Late notifications are possible but must be justified. A rehearsed process with deadline tracking is therefore essential.

Frequently asked questions about data breaches

Does every breach have to be reported?

No. A notification to the authority is not required if the breach is unlikely to result in a risk to the rights and freedoms of data subjects. It must, however, always be documented.

What happens with a late notification?

If the notification is made later than 72 hours, the delay must be justified. A missing or heavily delayed notification can trigger a separate fine.

When must data subjects be informed?

When the breach is likely to result in a high risk to the affected individuals – for example when sensitive data or credentials are exposed.

Who reports in a processor relationship?

The processor must inform the controller without undue delay. The notification to the authority, however, is made by the controller.

Data breach management with SimpleAct

Record incidents, assess risk, track the 72-hour deadline and document notifications to authorities and data subjects directly from the system.

Start for free

Related topics

GDPR complianceData Protection Impact AssessmentData subject rightsGDPR module
Yannick Heisler

Yannick Heisler

Sales · Personal consultation

Report a Data Breach – 72-Hour Deadline under Art. 33 GDPR | SimpleAct | SimpleAct