Article 34 GDPR: Difference between revisions

Latest revision as of 15:29, 19 March 2025

← Article 34 - Communication of a personal data breach to the data subject →

Expand Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Expand Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Expand Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Collapse Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Expand Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Expand Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Expand Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Expand Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Expand Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Expand Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Expand Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 34 - Communication of a personal data breach to the data subject

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Relevant Recitals

Expand

Recital 86: Communicating the Breach to the Data Subject

Expand

Recital 87: Timing and Result of Notification

Expand

Recital 88: Notification Rules and Procedures

Commentary

Article 34 GDPR implements the new^[1] obligation of the controller to inform data subjects about a personal data breach (as defined in Article 4(12) GDPR) where it is likely to result in a high risk to the rights and freedoms of natural persons. This obligation to notify data subjects is therefore closely connected to and supplements the controller's independent obligation to notify the relevant supervisory authority ("SA") under Article 33 GDPR. See therefore also the Commentary on Article 33 GDPR.^[2]

As described there, Article 33 and 34 are also closely linked with Article 32 GDPR which obliges controllers as well as processors to implement appropriate security measures. Further, the assessment of whether a notification of the data subject is necessary (due to the resulting high risk to the rights and freedoms of the natural person) as well as the notification itself should be covered by the controllers respective policy (Incident Response Plan) as described in more detail in the commentary on Article 33 GDPR.

Paragraph 1 of this provision imposes an obligation on controllers to notify data subjects without undue delay about a personal data breach where such breach is likely to result in a high risk to the rights and freedoms of natural persons.

Paragraph 2 describes linguistic requirements the information to the data subjects should have ("clear and plain language"), its purpose (describing "the nature of the personal data breach") and minimum content (contact points, consequences, actions taken or otherwise planned).

Paragraph 3 provides for exceptions to the information obligation in specific circumstances. For example, where the controller has implemented appropriate technical and organisational measures to exclude any harm.

Finally, paragraph 4 authorises the SA to require the controller to inform the data subjects about a personal data breach in case it did not already did so. Also, the SA might decide that one of the exemptions of Article 34(3) are applicable.

EDPB Guidelines:

(1) Communication of a personal data breach to the data subject

Article 34(1) GDPR obliges the controller to communicate, without undue delay, the personal data breach to data subjects when the breach is likely to result in a high risk to the rights and freedoms of natural persons. This means that not all personal data breaches have to be communicated to the data subjects - not even all personal data breaches have to be reported to the SA under Article 33 GDPR.

This provision carries both theoretical and practical importance. On one hand, it acknowledges the individual's subjective right to be informed about the (failed) security of their personal data. On the other hand, it enables data subjects to make strategic choices to safeguard their personal sphere.

For example: After learning about a personal data breach involving its phone number, a data subject could swith number or pay more attention when they are contacted in a suspicious way. Similarly, a data subject might decide to close their account with its bank and look for a more secure financial institution after a personal data breach shows significant vulnerabilities of the bank's security measures. Further, a data subject might just block their credit card after learning that it has been compromised in a personal data breach.

Personal data breach

The obligation to notify data subjects of a personal data breach stipulated in this provision refers to the notion of a personal data breach defined in Article 4(12) GDPR, i.e. “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. For more information, see commentary on Article 4(12) GDPR. However, as mentioned above, the obligation to communicate the personal data breach to data subjects only arises where there is a high risk to the rights and freedoms of natural persons, likely resulting from the personal data breach (see below).^[3]

Is likely to result in a high risk to the rights and freedoms of natural persons

Article 34(1) GDPR differs in an important respect from the obligation to notify the SA about a personal data breach in accordance with Article 33 GDPR. Instead of having to notify the SA of a breach that leads to any kind of risk to data subjects, the controller only has the obligation to communicate a personal data breach to data subjects where it is likely to lead to a high risk to the rights and freedoms of natural persons. The threshold for communicating the breach to data subjects concerned is therefore higher than in Article 33 GDPR.^[4] In any event, the controller needs to perform an assessment considering the risks for data subjects resulting from the personal data breach. For this risk assessment (consideration of the likelihood and severity of the impact of the personal data breach on the rights and freedoms of the data subjects) and the factors to consider, see commentary on Article 33(1) GDPR.

"[...] This risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss and damage to reputation. When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions and offences or related security measures, such damage should be considered likely to occur."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 102.

Examples of "high risk" situations include, inter alia, a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).^[5]

The fact that controllers only have to communicate personal data breaches likely resulting in a high risks to natural persons should strike a balance between the controllers interest not to notify data subjects (often customers or business partners) about circumstances that might very well be harmful for their reputation and not overloading data subjects with too much information about only limited risks on the one hand with the necessity to give data subjects the ability to take measures to reduce harm that might result from a personal data breach on the other side.^[6]

Controllers might be incentivised to perform this assessment in a way that shows no high risk for data subjects in order to avoid the communication stipulated in this provision. Therefore, the SA has the authority to require the controller to communicate the personal data breach to the affected data subjects.^[7]

The controller

The obligation set forth in this provision addresses controllers as defined in Article 4(7) GDPR. Please see the commentary on Article 33(1) GDPR on this point including notes on joint-controllership, the relationship with processors and with manufacturers.

Its worth highlighting that the processor's obligation in Article 33(2) GDPR to notify controllers “without undue delay” in case they identify a personal data breach is also essential for the controller's obligation to notify data subjects under this provision (see commentary on Article 33(1) and (2) GDPR). However, the processor is neither obliged to communicate the personal data breach to data subjects, nor supposed to assess the risk to the rights and freedoms of natural persons; this is the obligation of the controller.^[8]

Shall communicate [the breach] to the data subject

The affected data subjects should be directly notified of the relevant breach by the controller. When communicating a breach to data subjects, dedicated messages should be utilised, separate from regular updates, newsletters, or standard messages. Otherwise the affected data subjects might not realise the relevance of the communication which should be a clear and transparent communication of the personal data breach.^[9] Recital 86 states in this regard that the communication to the data subjects should "describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects".

In case a direct notification to the affected data subjects would involve an disproportionate effort, the communication of a personal data breach could also be done via public communication or similar measures, ensuring that data subjects are informed in an equally effective manner (see exemption in Article 34(3)(c) GDPR below).^[10]

"Examples of transparent communication methods include direct messaging (e.g. email, SMS, direct message), prominent website banners or notification, postal communications and prominent advertisements in print media. A notification solely confined within a press release or corporate blog would not be an effective means of communicating a breach to an individual. The EDPB recommends that controllers should choose a means that maximizes the chance of properly communicating information to all affected individuals. Depending on the circumstances, this may mean the controller employs several methods of communication, as opposed to using a single contact channel."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 90.

Controllers will generally be in the best position to determine the most suitable contact channel and method for communicating a breach to individuals, especially if they have regular interactions with their customers. However, it is crucial for controllers to exercise caution when selecting a contact channel, as using a channel compromised by the breach could potentially enable attackers to impersonate the controller.^[11]

The communication should take place in a language understand by the data subjects. This could be the language in which the previous communication with the data subject took place or the local national language of the data subjects. It could be appropriate to provide the communication in various languages.^[12]

In some cases, it might also be appropriate for the controller to consult the SA regarding the communication to data subjects about a personal data breach as well as how to formulate an appropriate message and what the most appropriate way would be to contact the affected natural persons.^[13] This could be the case if the controller is unable to assess whether the personal data breach will likely result in a high risk for the rights and freedoms of natural persons.^[14] Moreover, according to Recital 88, the legitimate interests of law-enforcement authorities is also something to consider in case the early disclosure of a personal data breach could unnecessarily hamper investigations connected to the breach.^[15]

"Whenever it is not possible for the controller to communicate a breach to an individual because there is insufficient data stored to contact the individual, in that particular circumstance the controller should inform the individual as soon as it is reasonably feasible to do so (e.g. when an individual exercises their Article 15 right to access personal data and provides the controller with necessary additional
information to contact them)."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 96.

Without undue delay

Article 34(1) GDPR stipulates that controllers must notify data subjects of a data breach “without undue delay” - in other words, given the likelihood of high risks for the data subject (see above), as soon as possible, considering that such a communication should enable data subjects to take individual steps to protect themselves from any negative consequences of the breach of their personal data.^[16] However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR; nevertheless, for more information on the term "without undue delay" also compare commentary on Article 33 GDPR. Instead, timelines should be assessed depending on the nature and gravity of the breach itself, the level of risk to natural persons and the need to implement appropriate technical and organisational measures before the communication; e.g. Recital 86 GDPR provides examples of issues to take into account when assessing the timeliness of a notification to data subjects: “the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.”

Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach.^[17]

(2) Minimal requirements for the controller's communication to the data subject

The communication to the data subjects should enable them to take any steps to protect themselves.^[18] Article 34(2) GDPR therefore requires that the communication to the data subject (Article 34(1) GDPR) must contain a description in clear and plain language of the nature of the breach as well as the elements outlined in Article 33(3)(b)-(d) GDPR. Namely, the name and contact details of the data protection officer or other contact point where more information can be obtained; the likely consequences of the data breach; and the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Describe in clear and plain language

This wording is already used in Article 12(1) GDPR requiring controllers to provide any communication under Articles 13 to 22 and 34 "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child". Due to the use of the term "clear and in plain language", reference can be made to this provision which is also directly applicable to the communication to affected data subjects under this provision. See therefore commentary on Article 12(1) GDPR. Regarding the language the controller should use for the communication, see commentary on Article 34(1) GDPR above.

(a) Nature of the personal breach

See commentary on Article 33(3) GDPR which already describes the controller's obligation to provide the SA with "the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned". However, it should be noted that the additional elements mentioned there are not required in the communication to the data subjects under Article 34(2) GDPR. This is a reasonable choice since, generally, data subjects do not need to know these specific details in order to make informed decisions regarding the breach.^[19]

(b) Point of contact

Article 34(2) GDPR provides for the obligation to include information about the name and contact details of the data protection officer or other contact point where more information can be obtained by referencing to Article 33(3)(a) GDPR. See, therefore, commentary on Article 33(3)(a) GDPR.

In case of the communication to the affected data subject, special consideration should be given to the urgent nature of the communication - considering that it is mandatory only in cases of "high risk" to the data subject. The contact point for data subject should therefore be easily and directly reachable. Consequently, obstructive methods that, for example, require the requester to navigate complex online systems to establish contact are not permissible at this stage. In such cases, an email address seems more appropriate.

(c) Consequence of the breach

Again, reference can be made to commentary on the provision in Article 33(3)(c) GDPR. However, it should be recalled that the communication to the data subject has to use clear and plain language. The use of examples and accessible terminology allows the data subject to immediately understand the risks they are facing and the most appropriate actions to take.

For example: An e-commerce platform experiences a cyber attack resulting in the disclosure of user passwords on the web. The communication under Article 34 GDPR should explain to the user, in clear and plain language, that, due to the breach, it will be necessary to change their service password and ensure that the same value is not used to access other services. In such case, the user should be advised to change those passwords as well to prevent further unauthorised access.

(d) Measures taken or proposed

Also regarding the description of measures taken or proposed to be taken by the controller to address the personal data breach (including, where appropriate, measures to mitigate its possible adverse effects), reference can be made to the commentary on Article 33(3)(d) GDPR. It should be considered, however, that the information on measures to mitigate the potential adverse effects will probably be especially important for the affected data subjects.

Additional information

As indicated by the phrase “at least” found under Article 34(2) GDPR, this list of information to be provided to data subjects is non-exhaustive. Recital 86 GDPR outlines that the controller “should” provide “recommendations for the natural person concerned to mitigate potential adverse effects”. The information given to data subjects should therefore enable them to take any “necessary precautions”, which, although not directly mentioned by Article 33(3)(b)-(d) GDPR could be shared as additional information by the controller

(3) Exemptions from the obligation to communicate to the data subject

Article 34(3) GDPR lists three exemptions from the controller’s obligation to communicate the breach to data subjects. It should be noted that, as per the accountability principle, controllers are required to provide evidence to the SA to demonstrate the applicability of one or more of the specified conditions if they rely upon them. The EDPB also notes that, although the communication may not be immediately necessary (if there is no risk to the rights and freedoms of individuals), the situation may evolve over time, and the risk assessment would need to be reassessed accordingly.^[20]

"If a controller decides not to communicate a breach to the individual, Article 34(4) GDPR explains that the supervisory authority can require it to do so, if it considers the breach is likely to result in a high risk to individuals. Alternatively, it may consider that the conditions in Article 34(3) GDPR have been met in which case notification to individuals is not required. If the supervisory authority determines that the decision not to notify data subjects is not well founded, it may consider employing its available powers and sanctions"

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 99.

(a) The controller has applied “appropriate technical and organisational protection measures”

The first exception from the obligation to communicate a personal data breach to the affected data subjects is applicable if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach. This provision specifically mentions measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.

In other word, the exception applies if, prior to the breach, the controller had implemented suitable technical and organizational measures to safeguard the personal data. In particular, these measures aim to make the personal data incomprehensible to unauthorized individuals. One effective approach is the use of pseudonymisation, advanced encryption techniques or tokenisation to protect the personal data. These security measures ensure that even if the data is accessed unlawfully, it remains unintelligible and therefore protected.^[21]

Since effective pseudonymisation can mitigate adverse effects of data breaches, it may also be considered when assessing the obligations a controller has under Art. 33 and 34 GDPR. In particular, it may be regarded as an appropriate technical and organisational measure that limits the impact of a personal data breach in the sense of Art. 34(3)(a) GDPR. However, the content of data that was accessed without authorisation can still be analysed by the actor who accessed it.
Careful analysis is required in this case to establish whether the pseudonymisation has reduced the risks resulting from the data breach sufficiently to render communication of the breach to the affected data subjects unnecessary, Art. 34(1) and (3) GDPR.

EDPB, ‘Guidelines 1/2025 on Pseudonymisation’, 16 January 2025 (Version for public consultation), margin number 62.

For example: An unauthorised person got access to a device where highly sensitive personal data are stored. However, the content of such a device in encrypted. Therefore, even if a data breach occurred theoretically entailing high risks for data subject, the obligation under Article 34(1) is not triggered, as the authorised party will not be able to make use of the data obtained.

(b) The controller takes “subsequent measures” that diminish the likelihood of a high risk

The second exception applies in case the controller has taken subsequent measures ensuring that the high risk to the rights and freedoms of the data subjects is no longer likely to materialise.

“Subsequent” measures should therefore be interpreted as measures, adopted immediately following a personal data breach, which are able to mitigate the likelihood of the high risk to individuals' rights and freedoms from materialising. For instance, in certain situations, the controller may have promptly identified and addressed the unauthorized access to personal data, preventing any further misuse. However, it is essential to consider the potential consequences of a breach of confidentiality, taking into account the nature of the data involved.^[22]

In addition, it must be stressed that after a risk actually materialised, the controller can no longer invoke subsequent measures to avoid communication to the data subject. Even if subsequent measures could mitigate damages and reduce further risks, the controller is no longer in the position to evaluate what kind of negative consequences could stem from the original data breach. Therefore, a communication to the people concerned is the most effective way to prevent an even greater impact on their rights and freedoms.^[23]

(c) The communication would demand a disproportionate effort from the controller

The last exception in this provision applies if the communication of the personal data breach would involve a disproportionate effort. In that case, the controller must instead make a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

In other words, in cases where notifying the data subject would require a disproportionate effort, the controller is not obligated to inform the individual. The concept of "disproportionate effort" is not explicitly defined in the GDPR. However, it is understood that the effort involved in notifying data subjects relates to the scope of the breach, particularly the number of individuals affected. As the number of affected individuals increases, the communication process becomes proportionally more complex. Nevertheless, since this exception should be interpreted restrictively, the notion of disproportionate effort should be evaluated in relation to the size of the organisation and the availability of technical tools for conducting notifications. In other words, a large-scale controller will be expected to allocate greater resources, including the adoption of electronic communication tools capable of handling the notification burden. In such cases, the effort required cannot be deemed "disproportionate".^[24] If the effort is in fact "disproportionate", an alternative obligation exists, namely the requirement to publicly disclose the breach, which should be equally effective in ensuring transparency and accountability. The EDPB suggests that “technical arrangements” could nonetheless be taken to ensure that data subjects can access further information upon request.^[25]

Other exemptions

It is important to highlight that according to Article 23 GDPR, Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR.

(4) Involvement of the supervisory authority

As mentioned previously, Article 34(4) GDPR authorises the SA to require the controller to communicate a personal data breach to the affected data subjects in case the controller did not already do so. Moreover, the SA might also decide that any of the conditions listed in Article 33(3) GDPR are met which means that no communication of the personal data breach is necessary.

In that regard, it should be recalled that the threshold triggering the communication of a personal data breach to the affected data subjects under Article 34 GDPR is higher than for the notification obligation to the SA under Article 33 GDPR. Therefore, in all cases where a communication to the affected data subjects is necessary, the notification to the SA is also necessary. Thus, since the SA should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the SA can play a determinative role in indicating that there is a “high risk” to the rights and freedoms of natural persons.

It should also be noted that the SA can also provide advice to the controller. This advice can relate to the assessment of the risk to the data subjects or on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.^[26]

Not already communicated the breach to the data subject

Obviously, this provision only applies in situations in which the controller did not already communicate the breach to the affected data subjects. However, it is questionable to what extent the authority could use its power to require the controller to communicate a personal data breach to the affected data subjects in cases where it considers a prior communication of the controller to be incomplete or insufficient. It would make sense for the SA to also require improved communication in those cases.

The supervisory authority

While Article 33(1) GDPR specifically mentions the SA competent in accordance with Article 55 GDPR regarding the controller's notification obligation, Article 34(4) GDPR only mentions the SA. However, it is reasonable to consider this provision referring to the SA which got notified under Article 33(1) GDPR.

Having considered the likelihood of the breach resulting in a high risk

In order for the SA to use its power to request the controller to communicate a personal data breach to the affected data subjects, it must consider the likelihood of the data breach resulting in a high risk. Therefore, it can correct a faulty risk assessment by the controller in case the controller came to the conclusion that no high risk for the rights and freedoms of the data subjects are likely to result from the personal data breach.^[27]

May require [the controller] to do so

In such case, the authority can instruct the controller to communicate the breach to the affected data subjects.

"[...] If the supervisory authority determines that the decision not to notify data subjects is not well founded, it may consider employing its available powers and sanctions."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 99.

However, the SA is not authorised under this provision to communicate the personal data breach to the affected data subjects directly.^[28]

May decide that [exemptions] are met

The SA can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller of its obligation to communicate the personal data breach to affected individuals. This can be very helpful for a controller who is uncertain whether or not one of the exceptions might apply.

For example: The notification of the affected data subjects could involve a significant effort and the controller could be uncertain if this could already be considered a disproportionate effort and a public communication of the personal data breach would suffice. A decision by the SA might help to provide the controller with clearity.

Decisions

→ You can find all related decisions in Category:Article 34 GDPR

References

↑ There was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Article 17 thereof only required controllers to take adequate measures to protect personal data from breaches. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 1 (C.H. Beck 2024, 4th Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition) with further reference.
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), Annex B (available here).
↑ Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition) with further references.
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition).
↑ Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 7 (C.H. Beck 2024, 4th Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 et seq (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 92 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 91 (available here).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 94 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available here).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 83 (available here); in contrast, Recital 86 states that this communication "should be made as soon as reasonably feasible".
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available here).
↑ Recital 86 GDPR: “The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions”.
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 11 (C.H. Beck 2024, 4th Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 98 (available here).
↑ The encryption must be "state-of-the-art". See, EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 15 (C.H. Beck 2024, 4th Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin number 16 (C.H. Beck 2025, 2nd Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 94 (available here).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 17 (NOMOS 2025, 2nd Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 16 (C.H. Beck 2024, 4th Edition).

[1] There was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Article 17 thereof only required controllers to take adequate measures to protect personal data from breaches. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).

[2] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 1 (C.H. Beck 2024, 4th Edition).

[3] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).

[4] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition) with further reference.

[5] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), Annex B (available here).

[6] Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition) with further references.

[7] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition).

[8] Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 7 (C.H. Beck 2024, 4th Edition).

[9] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 et seq (available here).

[10] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 (available here).

[11] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 92 (available here).

[12] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 91 (available here).

[13] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 94 (available here).

[14] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).

[15] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available here).

[16] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 83 (available here); in contrast, Recital 86 states that this communication "should be made as soon as reasonably feasible".

[17] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available here).

[18] Recital 86 GDPR: “The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions”.

[19] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 11 (C.H. Beck 2024, 4th Edition).

[20] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 98 (available here).

[21] The encryption must be "state-of-the-art". See, EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).

[22] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).

[23] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 15 (C.H. Beck 2024, 4th Edition).

[24] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin number 16 (C.H. Beck 2025, 2nd Edition).

[25] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).

[26] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 94 (available here).

[27] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 17 (NOMOS 2025, 2nd Edition).

[28] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 16 (C.H. Beck 2024, 4th Edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

@@ Line 185: / Line 185: @@
 ==Legal Text==
-<br /><center>'''Article 34 - Communication of a personal data breach to the data subject'''</center><br />
+<br /><center>'''Article 34 - Communication of a personal data breach to the data subject'''</center>
 <span id="1">1.   When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.</span>
@@ Line 202: / Line 202: @@
 ==Relevant Recitals==
-<span id="r87">
+{{Recital/86 GDPR}}{{Recital/87 GDPR}}
-<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 87''' </div>
+{{Recital/88 GDPR}}
-<div class="mw-collapsible-content">
-It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.
-</div></div>
-<span id="r88">
+==Commentary==
-<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 88''' </div>
+Article 34 GDPR implements the new<ref>There was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Article 17 thereof only required controllers to take adequate measures to protect personal data from breaches.  ''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).</ref> obligation of the controller to inform data subjects about a personal data breach (as defined in [[Article 4 GDPR|Article 4(12) GDPR]]) where it is likely to result in a high risk to the rights and freedoms of natural persons. This obligation to notify data subjects is therefore closely connected to and supplements the controller's independent obligation to notify the relevant supervisory authority ("SA") under [[Article 33 GDPR]]. See therefore also the Commentary on [[Article 33 GDPR]].<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 1 (C.H. Beck 2024, 4th Edition).</ref>
-<div class="mw-collapsible-content">
-In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.
+As described there, Article [[Article 33 GDPR|33]] and 34 are also closely linked with Article 32 GDPR which obliges controllers as well as processors to implement appropriate security measures. Further, the assessment of whether a notification of the data subject is necessary (due to the resulting high risk to the rights and freedoms of the natural person) as well as the notification itself should be covered by the controllers respective policy (''Incident Response Plan'') as described in more detail in the commentary on [[Article 33 GDPR]].
-</div></div>
+Paragraph 1 of this provision imposes an obligation on controllers to notify data subjects without undue delay about a personal data breach where such breach is likely to result in a high risk to the rights and freedoms of natural persons.
+Paragraph 2 describes linguistic requirements the information to the data subjects should have ("''clear and plain language''"), its purpose (describing "''the nature of the personal data breach''") and minimum content (contact points, consequences, actions taken or otherwise planned).
-==Commentary==
+Paragraph 3 provides for exceptions to the information obligation in specific circumstances. For example, where the controller has implemented appropriate technical and organisational measures to exclude any harm.
+Finally, paragraph 4 authorises the SA to require the controller to inform the data subjects about a personal data breach in case it did not already did so. Also, the SA might decide that one of the exemptions of Article 34(3) are applicable.
+EDPB Guidelines:
+* [https://www.edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf EDPB, 'Guidelines 01/2021 on Examples regarding Personal Data Breach Notification', 14 December 2021 (Version 2.0)]; and
+* [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0]).
+=== (1) Communication of a personal data breach to the data subject ===
+Article 34(1) GDPR obliges the controller to communicate, without undue delay, the personal data breach to data subjects when the breach is likely to result in a high risk to the rights and freedoms of natural persons. This means that not all personal data breaches have to be communicated to the data subjects - not even all personal data breaches have to be reported to the SA under Article 33 GDPR.
+This provision carries both theoretical and practical importance. On one hand, it acknowledges the individual's subjective right to be informed about the (failed) security of their personal data. On the other hand, it enables data subjects to make strategic choices to safeguard their personal sphere.
+{{Quote-example|After learning about a personal data breach involving its phone number, a data subject could swith number or pay more attention when they are contacted in a suspicious way. Similarly, a data subject might decide to close their account with its bank and look for a more secure financial institution after a personal data breach shows significant vulnerabilities of the bank's security measures. Further, a data subject might just block their credit card  after learning that it has been compromised in a personal data breach.}}
-==== Overview ====
+==== Personal data breach ====
-Article 34 GDPR relates to the obligation imposed on the data controller to inform an affected data subject of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons. Whilst it is very similar to [[Article 33 GDPR]] on notification of a data breach to the relevant supervisory authority, it differs in many aspects. It is important to note that the obligation to notify the data subject remains independent from any obligation to notify the relevant supervisory authority under [[Article 33 GDPR]].<ref>''Burton'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 34 GDPR, p. 656 (Oxford University Press 2020).</ref>
+The obligation to notify data subjects of a personal data breach stipulated in this provision refers to the notion of a personal data breach defined in [[Article 4 GDPR|Article 4(12) GDPR]], i.e. “''a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed''”. For more information, see commentary on [[Article 4 GDPR|Article 4(12) GDPR]]. However, as mentioned above, the obligation to communicate the personal data breach to data subjects only arises where there is a high risk to the rights and freedoms of natural persons, likely resulting from the personal data breach (see below).<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).
-As with [[Article 33 GDPR]], there was no equivalent to Article 34 GDPR in the Data Protection [[Directive 95/46/EC]]. Again, [[Article 17 Directive 95/46/EC]] is the only related article, requiring the data controller to take adequate measures to protect personal data from breaches.<ref>''Burton'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 34 GDPR, p. 656 (Oxford University Press 2020).</ref>
+</ref>
-==== Member State law ====
+==== Is likely to result in a high risk to the rights and freedoms of natural persons ====
-First, it is important to highlight that, according to [[Article 23 GDPR]], Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR. As a result several Member States have adopted their own rules on communicating a breach to the affected data subject.<ref>''Burton'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 34 GDPR, p. 658 (Oxford University Press 2020).</ref> The commentary on [[Article 23 GDPR]] is available for further guidance on conditions for restricting the scope of obligations and rights.
+Article 34(1) GDPR differs in an important respect from the obligation to notify the SA about a personal data breach in accordance with [[Article 33 GDPR]]. Instead of having to notify the SA of a breach that leads to ''any kind of risk'' to data subjects, the controller only has the obligation to communicate a personal data breach to data subjects where it is likely to lead to a ''high'' ''risk to the rights and freedoms of natural persons''. The threshold for communicating the breach to data subjects concerned is therefore higher than in [[Article 33 GDPR]].<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition) with further reference.</ref> In any event, the controller needs to perform an assessment considering the risks for data subjects resulting from the personal data breach. For this risk assessment (consideration of the likelihood and severity of the impact of the personal data breach on the rights and freedoms of the data subjects) and the factors to consider, see commentary on [[Article 33 GDPR|Article 33(1) GDPR]].
-Additionally, Recital 86 GDPR provides that the obligation imposed on the data controller to communicate the breach to the data subject may be affected by the guidance of a Member State’s law-enforcement authority. Recital 88 GDPR goes on to mention that rules and procedures on notification should “''take into account the legitimate interest of law enforcement authorities''” so as to ensure that disclosure does not hinder any ongoing investigation of the data breach.
+{{Quote-EDPB|"[...] This risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss and damage to reputation. When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions and offences or related security measures, such damage should be considered likely to occur."|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 102.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
-However, it should be noted that Recital 88 GDPR refers to “''notification''” and not “''communication''”. Other authors, such as Burton, do not make this distinction: they presume that Recital 88 GDPR applies just as much to Article 34 GDPR as it does to [[Article 33 GDPR]].<ref>''Burton'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 34 GDPR, p. 662 (Oxford University Press 2020).</ref> Nonetheless, it is argued here that the lack of mention of “''communication''” should not be overlooked. Instead, Recital 88 GDPR's wording (or lack thereof) suggests that it is only relevant to [[Article 33 GDPR]] (“''Notification''...”) and not Article 34 GDPR (“''Communication''...”).
+Examples of "''high risk''" situations include, ''inter alia'', a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).<ref>EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), Annex B (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
-=== “Personal data breach” ===
+The fact that controllers only have to communicate personal data breaches likely resulting in a high risks to natural persons should strike a balance between the controllers interest not to notify data subjects (often customers or business partners) about circumstances that might very well be harmful for their reputation and not overloading data subjects with too much information about only limited risks on the one hand with the necessity to give data subjects the ability to take measures to reduce harm that might result from a personal data breach on the other side.<ref>Compare ''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition) with further references.</ref>
-“''Personal data breach''” should be defined from the outset, before establishing the point at which a data controller has a duty to notify the competent supervisory authority of such a breach. On this point, see [[Article 33 GDPR]].
-==== Obligation for the data controller to communicate the breach to the data subject. ====
+Controllers might be incentivised to perform this assessment in a way that shows no high risk for data subjects in order to avoid the communication stipulated in this provision. Therefore, the SA has the authority to require the controller to communicate the personal data breach to the affected data subjects.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition).</ref>
-Article 34(1) GDPR makes it clear that not all breaches must be communicated to the data subject. However, it is apparent from the wording of Article 34(1) GDPR<ref>The data controller “shall” communicate.</ref> that there is an obligation imposed on the data controller to communicate the personal data breach to the affected individual.
-==== Condition of a “high risk”. ====
+==== The controller ====
-Article 34(1) GDPR differs from [[Article 33 GDPR]]. Instead of having to notify the supervisor authority of a breach that leads to '''any kind of risk''' to the data subject, the data controller only has the obligation to communicate a breach to the data subject where it may lead to a “'''''high''''' ''risk to the rights and freedoms of natural persons''”.
+The obligation set forth in this provision addresses controllers as defined in [[Article 4 GDPR|Article 4(7) GDPR]]. Please see the commentary on [[Article 33 GDPR|Article 33(1) GDPR]] on this point including notes on joint-controllership, the relationship with processors and with manufacturers.
-Therefore, the threshold for communicating the breach to the data subject concerned is higher than in Article 33. Some seem to label this choice as reasonable: a higher threshold was deemed necessary to avoid “''fatigue''” amongst data subjects as would be the case if individuals concerned were warned for every breach of the GDPR.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref>
+Its worth highlighting that the processor's obligation in [[Article 33 GDPR|Article 33(2) GDPR]] to notify controllers “''without undue delay''” in case they identify a personal data breach is also essential for the controller's obligation to notify data subjects under this provision (see commentary on [[Article 33 GDPR|Article 33(1) and (2) GDPR]]). However, the processor is neither obliged to communicate the personal data breach to data subjects, nor supposed to assess the risk to the rights and freedoms of natural persons; this is the obligation of the controller.<ref>Compare ''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 7 (C.H. Beck 2024, 4th Edition).</ref>
-The data controller will have to assess the level of risk which may ensue to the data subject as a result of the breach. According to the Guidelines, a high risk resulting from the data breach is assessed on the basis of the circumstances at stake. As with [[Article 33 GDPR]], this is an objective assessment conducted on the basis of the likelihood and severity of a negative impact on the rights and freedoms of natural persons.<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 8 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> Examples include, amongst others:
+==== Shall communicate [the breach] to the data subject ====
+The affected data subjects should be directly notified of the relevant breach by the controller. When communicating a breach to data subjects, dedicated messages should be utilised, separate from regular updates, newsletters, or standard messages. Otherwise the affected data subjects might not realise the relevance of the communication which should be a clear and transparent communication of the personal data breach.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 et seq (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref> Recital 86 states in this regard that the communication to the data subjects should "''describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects''".
--       the effects of a cyberattack on an online marketplace where usernames, passwords and purchase history are made public;
+In case a direct notification to the affected data subjects would involve an ''disproportionate effort'', the communication of a personal data breach could also be done via public communication or similar measures, ensuring that data subjects are informed in an equally effective manner (see exemption in Article 34(3)(c) GDPR below).<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
+{{Quote-EDPB|"Examples of transparent communication methods include direct messaging (e.g. email, SMS, direct message), prominent website banners or notification, postal communications and prominent advertisements in print media. A notification solely confined within a press release or corporate blog would not be an effective means of communicating a breach to an individual. The EDPB recommends that controllers should choose a means that maximizes the chance of properly communicating information to all affected individuals. Depending on the circumstances, this may mean the controller employs several methods of communication, as opposed to using a single contact channel."|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 90.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
+Controllers will generally be in the best position to determine the most suitable contact channel and method for communicating a breach to individuals, especially if they have regular interactions with their customers. However, it is crucial for controllers to exercise caution when selecting a contact channel, as using a channel compromised by the breach could potentially enable attackers to impersonate the controller.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 92 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
--       the effect of medical records in a hospital made inaccessible due to a cyberattack; or
+The communication should take place in a language understand by the data subjects. This could be the language in which the previous communication with the data subject took place or the local national language of the data subjects. It could be appropriate to provide the communication in various languages.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 91 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
--       the effect of personal data being mistakenly sent to a wrong mailing list (with over a thousand recipients).<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, Annex B (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref>
+In some cases, it might also be appropriate for the controller to consult the SA regarding the communication to data subjects about a personal data breach as well as how to formulate an appropriate message and what the most appropriate way would be to contact the affected natural persons.<ref>EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 94 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> This could be the case if the controller is unable to assess whether the personal data breach will likely result in a high risk for the rights and freedoms of natural persons.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).</ref> Moreover, according to Recital 88, the legitimate interests of law-enforcement authorities is also something to consider in case the early disclosure of a personal data breach could unnecessarily hamper investigations connected to the breach.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
+{{Quote-EDPB|"Whenever it is not possible for the controller to communicate a breach to an individual because there is insufficient data stored to contact the individual, in that particular circumstance the controller should inform the individual as soon as it is reasonably feasible to do so (e.g. when an individual exercises their Article 15 right to access personal data and provides the controller with necessary additional
+information to contact them)."|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 96.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
-Bensoussan, however, correctly suggests that the enforcement of Article 34 GDPR is likely to be difficult as the data controller is the entity making the assessment of the level of the risk.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref>
+==== Without undue delay ====
+Article 34(1) GDPR stipulates that controllers must notify data subjects of a data breach “''without undue delay''” - in other words, given the likelihood of high risks for the data subject (see above), ''as soon as possible'', considering that such a communication should enable data subjects to take individual steps to protect themselves from any negative consequences of the breach of their personal data.<ref>EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 83 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]); in contrast, Recital 86 states that this communication "should be made as soon as reasonably feasible". </ref> However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in [[Article 33 GDPR]]; nevertheless, for more information on the term "without undue delay" also compare commentary on Article 33 GDPR. Instead, timelines should be assessed depending on the nature and gravity of the breach itself, the level of risk to natural persons and the need to implement appropriate technical and organisational measures before the communication; e.g. Recital 86 GDPR provides examples of issues to take into account when assessing the timeliness of a notification to data subjects: “''the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.''”
-==== Without undue delay. ====
+Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-Another condition outlined under Article 34(1) GDPR is that the data controller must notify the data subject of a data breach “''without undue delay''”. The WP29 Guidelines interpret this as “''as soon as possible''”<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 20 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> or “''as soon as reasonably feasible''” according to Recital 86 GDPR. However, Article 34 GDPR does not provide a specific time condition of 72 hours as is the case in [[Article 33 GDPR]].
-Instead, timeliness will be assessed depending on the nature and gravity of the breach itself, as well as the level of (high) risk to natural persons.<ref>See Recital 87.</ref> This is apparent from Recital 86 which provides an example of a scenario where the timeliness condition will be different: “''the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.''” Similarly, Recital 88 indicates that communication to the data subject may be delayed to preserve the integrity of an investigation (by a law-enforcement authority) into the circumstances of the breach.
+=== (2) Minimal requirements for the controller's communication to the data subject===
+The communication to the data subjects should enable them to take any steps to protect themselves.<ref>Recital 86 GDPR: “''The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions''”.</ref> Article 34(2) GDPR therefore requires that the communication to the data subject (Article 34(1) GDPR) must contain a description in ''clear and plain language'' of the ''nature'' of the breach as well as the elements outlined in [[Article 33 GDPR|Article 33(3)(b)-(d) GDPR]]. Namely, the name and contact details of the data protection officer or other contact point where more information can be obtained; the likely consequences of the data breach; and the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
-In this context, it is important to note that as there is not specific time condition of 72 hours, the question of when this time limit formally begins does not arise.<ref>See Article 33 for a discussion on the moment where a data controller becomes “''aware''” of a data breach, triggering.</ref>
+==== Describe in clear and plain language ====
+This wording is already used in [[Article 12 GDPR|Article 12(1) GDPR]] requiring controllers to provide any communication under Articles [[Article 13 GDPR|13]] to [[Article 22 GDPR|22]] and 34 "''in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child''". Due to the use of the term "clear and in plain language", reference can be made to this provision which is also directly applicable to the communication to affected data subjects under this provision. See therefore commentary on [[Article 12 GDPR|Article 12(1) GDPR]]. Regarding the language the controller should use for the communication, see commentary on Article 34(1) GDPR above.
-==== Communication to the data subject.  ====
+==== (a) Nature of the personal breach ====
-In addition to general details on the obligation to communicate to the data subject, Article 34(2) GDPR provides further specifications as to how this must be achieved.
+See commentary on Article 33(3) GDPR which already describes the controller's obligation to provide the SA with "''the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned''". However, it should be noted that the additional elements mentioned there are not required in the communication to the data subjects under Article 34(2) GDPR. This is a reasonable choice since, generally, data subjects do not need to know these specific details in order to make informed decisions regarding the breach.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 11 (C.H. Beck 2024, 4th Edition).</ref>
-===== Language to be used. =====
+==== (b) Point of contact ====
-Article 34(2) GDPR provides an indication of how the data controller must communicate such a high risk breach to the data subject. It is outlined that the data controller must use “''clear and plain language''” when explaining the '''nature''' of the breach to the data subject.
+Article 34(2) GDPR provides for the obligation to include information about the name and contact details of the data protection officer or other contact point where more information can be obtained by referencing to Article 33(3)(a) GDPR. See, therefore, commentary on [[Article 33 GDPR|Article 33(3)(a) GDPR]].
-However, it is worth noting that the requirement of using “''clear and plain language''” does not seem to apply to the remainder of the sentence in Article 34(2) GDPR. As such, there is no specification as to the type of language to be used when outlining other “''information and measures''” that must also be provided to the data subject.<ref>See section below for further detail on what must be communicated.</ref>
+In case of the communication to the affected data subject, special consideration should be given to the urgent nature of the communication - considering that it is mandatory only in cases of "high risk" to the data subject. The contact point for data subject should therefore be easily and directly reachable. Consequently, obstructive methods that, for example, require the requester to navigate complex online systems to establish contact are not permissible at this stage. In such cases, an email address seems more appropriate.
-===== Details to communicate. =====
+==== (c) Consequence of the breach ====
-Article 34(2) GDPR stipulates that the information that must be communicated to the data subject, in addition to a clear description of the “''nature''” of the breach, is outlined in [[Article 33 GDPR|Article 33(3)(b)(c)(d) GDPR]]. The data controller must therefore:
+Again, reference can be made to commentary on the provision in [[Article 33 GDPR|Article 33(3)(c) GDPR]]. However, it should be recalled that the communication to the data subject has to use clear and plain language. The use of examples and accessible terminology allows the data subject to immediately understand the risks they are facing and the most appropriate actions to take.<blockquote>{{Quote-example|An e-commerce platform experiences a cyber attack resulting in the disclosure of user passwords on the web. The communication under Article 34 GDPR should explain to the user, in clear and plain language, that, due to the breach, it will be necessary to change their service password and ensure that the same value is not used to access other services. In such case, the user should be advised to change those passwords as well to prevent further unauthorised access.}}</blockquote>
--      ''“(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;”''
+==== (d) Measures taken or proposed ====
+Also regarding the description of measures taken or proposed to be taken by the controller to address the personal data breach (including, where appropriate, measures to mitigate its possible adverse effects), reference can be made to the commentary on [[Article 33 GDPR|Article 33(3)(d) GDPR]]. It should be considered, however, that the information on measures to mitigate the potential adverse effects will probably be especially important for the affected data subjects.
--      ''“(c) describe the likely consequences of the personal data breach;”''
+==== Additional information ====
+As indicated by the phrase “''at least''” found under Article 34(2) GDPR, this list of information to be provided to data subjects is non-exhaustive. Recital 86 GDPR outlines that the controller ''“should''” provide “''recommendations for the natural person concerned to mitigate potential adverse effects''”. The information given to data subjects should therefore enable them to take any “''necessary precautions''”, which, although not directly mentioned by [[Article 33 GDPR|Article 33(3)(b)-(d) GDPR]] could be shared as additional information by the controller
--       ''“(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”''<ref>The WP29 Guidelines provide examples of measures that can be taken to address the breach of mitigate the adverse effects. These notably include, letting the data subject know that it has received advice from the relevant supervisory authority. WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 20 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref>
+=== (3) Exemptions from the obligation to communicate to the data subject ===
+Article 34(3) GDPR lists three exemptions from the controller’s obligation to communicate the breach to data subjects. It should be noted that, as per the accountability principle, controllers are required to provide evidence to the SA to demonstrate the applicability of one or more of the specified conditions if they rely upon them. The EDPB also notes that, although the communication may not be immediately necessary (if there is no risk to the rights and freedoms of individuals), the situation may evolve over time, and the risk assessment would need to be reassessed accordingly.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 98 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-This list of information to be provided to the data subject is non-exhaustive as indicated by the phrase “''at least''” found under Article 34(2) GDPR. Recital 86 outlines that the data controller ''“should''” provide “''recommendations for the natural person concerned to mitigate potential adverse effects''”. It is expected, according to that Recital, that the information given to the data subject would enable him or her to take any “''necessary precautions''”. As such, these could be included as additional information to be given by the data controller although not stipulated outright under [[Article 33 GDPR|Article 33(3)(b)-(d) GDPR]].
+{{Quote-EDPB|"If a controller decides not to communicate a breach to the individual, Article 34(4) GDPR explains that the supervisory authority can require it to do so, if it considers the breach is likely to result in a high risk to individuals. Alternatively, it may consider that the conditions in Article 34(3) GDPR have been met in which case notification to individuals is not required. If the supervisory authority determines that the decision not to notify data subjects is not well founded, it may consider employing its available powers and sanctions"|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 99.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
-The information that must be given to the data subject following a high risk breach must enable that data subject to take any steps to protect themselves.<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 20 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> This position adopted by the WP29 is supported by the text in Recital 86: “''The controller should communicate to the data subject a personal data breach … in order to allow him or her to '''take the necessary precautions'''''”. Therefore, Article 34 GDPR attempts to empower the data subject even in the event of a personal data breach that affects them.
+==== (a) The controller has applied “''appropriate technical and organisational protection measures''” ====
+The first exception from the obligation to communicate a personal data breach to the affected data subjects is applicable if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach. This provision specifically mentions measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
-===== Method of communicating. =====
+In other word, the exception applies if, ''prior to the breach'', the controller had implemented suitable technical and organizational measures to safeguard the personal data. In particular, these measures aim to make the personal data incomprehensible to unauthorized individuals. One effective approach is the use of pseudonymisation, advanced encryption techniques or tokenisation to protect the personal data. These security measures ensure that even if the data is accessed unlawfully, it remains unintelligible and therefore protected.<ref>The encryption must be "state-of-the-art". See, EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-Article 34 GDPR should be understood as requiring the data controller to communicate the data breach to the data subject directly.<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> According to the WP29 Guidelines, such “''dedicated messages''” must be clear and transparent. WP29 provides examples of ways in which data controllers can communicate transparently:
--       Direct messaging such as email, SMS or direct message; or
+{{Quote-EDPB|Since effective pseudonymisation can mitigate adverse effects of data breaches, it may also be considered when assessing the obligations a controller has under Art. 33 and 34 GDPR. In particular, it may be regarded as an appropriate technical and organisational measure that limits the impact of a personal data breach in the sense of Art. 34(3)(a) GDPR. However, the content of data that was accessed without authorisation can still be analysed by the actor who accessed it.
+Careful analysis is required in this case to establish whether the pseudonymisation has reduced the risks resulting from the data breach sufficiently to render communication of the breach to the affected data subjects unnecessary, Art. 34(1) and (3) GDPR.|EDPB, ‘Guidelines 1/2025 on Pseudonymisation’, 16 January 2025 (Version for public consultation), margin number 62.|4=https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en}}{{Quote-example|An unauthorised person got access to a device where highly sensitive personal data are stored. However, the content of such a device in encrypted. Therefore, even if a data breach occurred theoretically entailing high risks for data subject, the obligation under Article 34(1) is not triggered, as the authorised party will not be able to make use of the data obtained.}}
--       Website banner with draws the user’s attention; or
+==== (b) The controller takes “''subsequent measures''” that diminish the likelihood of a high risk ====
+The second exception applies in case the controller has taken ''subsequent measures'' ensuring that the high risk to the rights and freedoms of the data subjects is no longer likely to materialise.
--       Communication via post; or
+“''Subsequent''” measures should therefore be interpreted as measures, adopted immediately following a personal data breach, which are able to mitigate the likelihood of the high risk to individuals' rights and freedoms from materialising. For instance, in certain situations, the controller may have promptly identified and addressed the unauthorized access to personal data, preventing any further misuse. However, it is essential to consider the potential consequences of a breach of confidentiality, taking into account the nature of the data involved.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
--       Print media.
+In addition, it must be stressed that after a risk actually materialised, the controller can no longer invoke subsequent measures to avoid communication to the data subject. Even if subsequent measures could mitigate damages and reduce further risks, the controller is no longer in the position to evaluate what kind of negative consequences could stem from the original data breach. Therefore, a communication to the people concerned is the most effective way to prevent an even greater impact on their rights and freedoms.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 15 (C.H. Beck 2024, 4th Edition).</ref>
-The data controller may decide to rely on multiple communication methods depending on the gravity of the breach. Additionally, it may be necessary to make the communication available in a language relevant to the affected data subject. This language can be determined on the basis of previous communication between the data controller and the data subject or, where this is not applicable, according to the national language where the data subject resides.<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref>
+==== (c) The communication would demand a disproportionate effort from the controller ====
+The last exception in this provision applies if the communication of the personal data breach would involve a disproportionate effort. In that case, the controller must instead make a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
-The requirement of transparency makes it clear that a communication of the breach should not be hidden within a regular or obscure communication channel. Such regular or obscure communication channels could include a newsletter or standard message or a corporate blog.<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref>
+In other words, in cases where notifying the data subject would require a disproportionate effort, the controller is not obligated to inform the individual. The concept of "''disproportionate effort''" is not explicitly defined in the GDPR. However, it is understood that the effort involved in notifying data subjects relates to the scope of the breach, particularly the number of individuals affected. As the number of affected individuals increases, the communication process becomes proportionally more complex. Nevertheless, since this exception should be interpreted restrictively, the notion of disproportionate effort should be evaluated in relation to the size of the organisation and the availability of technical tools for conducting notifications. In other words, a large-scale controller will be expected to allocate greater resources, including the adoption of electronic communication tools capable of handling the notification burden. In such cases, the effort required cannot be deemed "disproportionate".<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin number 16 (C.H. Beck 2025, 2nd Edition).</ref> If the effort is in fact "''disproportionate''", an alternative obligation exists, namely the requirement to publicly disclose the breach, which should be equally effective in ensuring transparency and accountability. The EDPB suggests that “''technical arrangements''” could nonetheless be taken to ensure that data subjects can access further information upon request.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-==== Exemptions from the obligation to communicate to the data subject. ====
+==== Other exemptions ====
-Article 34(3) GDPR provides a list of conditions which would exempt the data controller from its obligation to communicate the breach to the data subject concerned. The three exhaustive circumstances are as follows:
+It is important to highlight that according to [[Article 23 GDPR]], Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR.
--      the data controller is not required to communicate a breach where it has “''appropriate technical and organisational protection measures''” in place. Such measures must be employed on the data concerned by the breach and make such personal data unintelligible to non-authorised persons. This includes, for example, measures taken to encrypt<ref>Encryption must be "state-of-the-art". See WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 22 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref> the data (Article 34(3)(a) GDPR) .
+=== (4) Involvement of the supervisory authority ===
+As mentioned previously, Article 34(4) GDPR authorises the SA to require the controller to communicate a personal data breach to the affected data subjects in case the controller did not already do so. Moreover, the SA might also decide that any of the conditions listed in Article 33(3) GDPR are met which means that no communication of the personal data breach is necessary.
--      communicating the breach to the concerned data subject is not required where the controller takes “''subsequent measures''” that diminish the likelihood that a high risk to the rights and freedoms of the person concerned materialises (Article 34(3)(b) GDPR). According to the WP29 Guidelines, “''subsequent''” measures should be interpreted as immediate measures.<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 22 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref>
+In that regard, it should be recalled that the threshold triggering the communication of a personal data breach to the affected data subjects under Article 34 GDPR is higher than for the notification obligation to the SA under [[Article 33 GDPR]]. Therefore, in all cases where a communication to the affected data subjects is necessary, the notification to the SA is also necessary. Thus, since the SA should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the SA can play a determinative role in indicating that there is a “''high risk''” to the rights and freedoms of natural persons.
--      the data controller is not required to communicate the breach to the affected data subject where this would demand a disproportionate effort from the controller. Article 34(3)(c) GDPR specifies that in such cases, a public communication to inform the data subjects is sufficient. The WP29 suggests that “''technical arrangements''” be taken to ensure that the data subject can have access to further information on demand.<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 22 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref>
+It should also be noted that the SA can also provide advice to the controller. This advice can relate to the assessment of the risk to the data subjects or on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 94 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-According to Burton, the burden of proof falls on the data controller to demonstrate that any of the above mentioned conditions apply to exempt them from the requirement of communicating the breach to the affected data subject.<ref>''Burton'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 34 GDPR, p. 659 (Oxford University Press 2020).</ref>
+==== Not already communicated the breach to the data subject ====
+Obviously, this provision only applies in situations in which the controller did not already communicate the breach to the affected data subjects. However, it is questionable to what extent the authority could use its power to require the controller to communicate a personal data breach to the affected data subjects in cases where it considers a prior communication of the controller to be incomplete or insufficient. It would make sense for the SA to also require improved communication in those cases.
-==== Implications for a data processor. ====
+==== The supervisory authority ====
-There is no specific obligation imposed on a data processor in relation to communication of the breach to the data subject. In compliance with [[Article 33 GDPR|Article 33(2) GDPR]], the data processor will have to notify the data controller “''without undue delay''” where they identify a personal data breach.<ref>See Commentary on [[Article 33 GDPR]].</ref> However, any additional obligation to notify the data subject of a “''high risk''” to their rights and freedoms only falls upon the data controller.
+While [[Article 33 GDPR|Article 33(1) GDPR]] specifically mentions the SA competent in accordance with [[Article 55 GDPR]] regarding the controller's notification obligation, Article 34(4) GDPR only mentions the SA. However, it is reasonable to consider this provision referring to the SA which got notified under Article 33(1) GDPR.
-Nonetheless, [[Article 28 GDPR|Article 28(3) GDPR]] helps to understand the role of a data processor in relation to the data controller. Services provided to a data controller by a data processor must be “''governed by a contract or other legal act'' […]” according to [[Article 28 GDPR|Article 28(3) GDPR]]. In addition, [[Article 28 GDPR|Article 28(3)(f) GDPR]] specifically requires that this contract or legal act stipulate that the data processor “''shall''” support the data controller in ensuring compliance with obligations found under [[Article 32 GDPR|Article 32 to 36 GDPR]].
+==== Having considered the likelihood of the breach resulting in a high risk ====
+In order for the SA to use its power to request the controller to communicate a personal data breach to the affected data subjects, it must consider the likelihood of the data breach resulting in a high risk. Therefore, it can correct a faulty risk assessment by the controller in case the controller came to the conclusion that no high risk for the rights and freedoms of the data subjects are likely to result from the personal data breach.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 17 (NOMOS 2025, 2nd Edition).</ref>
-Therefore, a contract between the data controller and processor can specify how the processor can support the data controller in respecting the latter’s obligation to communicate the breach as per Article 34.
+==== May require [the controller] to do so ====
+In such case, the authority can instruct the controller to communicate the breach to the affected data subjects.
+{{Quote-EDPB|"[...] If the supervisory authority determines that the decision not to notify data subjects is not well founded, it may consider employing its available powers and sanctions."|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 99.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
+However, the SA is not authorised under this provision to communicate the personal data breach to the affected data subjects directly.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 16 (C.H. Beck 2024, 4th Edition).</ref>
-==== Involvement of the supervisory authority. ====
+==== May decide that [exemptions] are met ====
-As mentioned previously, the threshold of risk to trigger Article 34 GDPR is higher than in [[Article 33 GDPR]]. It is possible to deduce from this condition that wherever the controller has the obligation to communicate the data breach to the data subject under Article 34, the data controller will also have notified the relevant supervisory authority in accordance with [[Article 33 GDPR|Article 33(1) GDPR]].<ref>As notifying the relevant supervisory is an obligation under Article 33 GDPR wherever there is a “''risk''” rather than just a “''high risk''”.</ref> Therefore, as the supervisory authority will be aware of the data breach, it can also be involved in the data controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR.
+The SA can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller of its obligation to communicate the personal data breach to affected individuals. This can be very helpful for a controller who is uncertain whether or not one of the exceptions might apply.
+{{Quote-example|The notification of the affected data subjects could involve a significant effort and the controller could be uncertain if this could already be considered a disproportionate effort and a public communication of the personal data breach would suffice. A decision by the SA might help to provide the controller with clearity.}}
-Accordingly, Article 34(4) GDPR suggests that the supervisory authority can play a determinative role in indicating that there is a “''high risk''” to the rights and freedoms of natural persons. As specifically outlined in this paragraph, the notified<ref>In accordance with [[Article 33 GDPR]].</ref> supervisory authority can instruct the data controller to communicate the breach to the affected data subjects. The supervisory authority can also decide whether any of the Article 34(3) GDPR exceptions are met, exempting the data controller from its obligation to communicate the personal data breach to affected individuals.
-Finally, involvement of the supervisory authority can include providing advice to the data controller. This advice can relate to the assessment of the risk to the data subjects. For example, the French data protection authority (CNIL) provides a tool to help data controllers assess the gravity of personal data breaches.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref> The relevant supervisory authority can also provide advice on the method of communicating the breach to the data subject, such as how to identify an adequate channel to communicate to the data subject, the language to communicate in and/or what kind of message to send.<ref>WP29, Guidelines on Personal data breach notification under Regulation 2016/679 (WP250rev.01), 3 October 2017, p. 21 (available [https://ec.europa.eu/newsroom/article29/redirection/document/49827 here]).</ref>
 ==Decisions==
 → You can find all related decisions in [[:Category:Article 34 GDPR]]