Article 34 GDPR: Difference between revisions

Latest revision as of 15:29, 19 March 2025

← Article 34 - Communication of a personal data breach to the data subject →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 34 - Communication of a personal data breach to the data subject

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Relevant Recitals

Recital 86: Communicating the Breach to the Data Subject

The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.

Recital 87: Timing and Result of Notification

It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.

Recital 88: Notification Rules and Procedures

In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

Commentary

Article 34 GDPR implements the new^[1] obligation of the controller to inform data subjects about a personal data breach (as defined in Article 4(12) GDPR) where it is likely to result in a high risk to the rights and freedoms of natural persons. This obligation to notify data subjects is therefore closely connected to and supplements the controller's independent obligation to notify the relevant supervisory authority ("SA") under Article 33 GDPR. See therefore also the Commentary on Article 33 GDPR.^[2]

As described there, Article 33 and 34 are also closely linked with Article 32 GDPR which obliges controllers as well as processors to implement appropriate security measures. Further, the assessment of whether a notification of the data subject is necessary (due to the resulting high risk to the rights and freedoms of the natural person) as well as the notification itself should be covered by the controllers respective policy (Incident Response Plan) as described in more detail in the commentary on Article 33 GDPR.

Paragraph 1 of this provision imposes an obligation on controllers to notify data subjects without undue delay about a personal data breach where such breach is likely to result in a high risk to the rights and freedoms of natural persons.

Paragraph 2 describes linguistic requirements the information to the data subjects should have ("clear and plain language"), its purpose (describing "the nature of the personal data breach") and minimum content (contact points, consequences, actions taken or otherwise planned).

Paragraph 3 provides for exceptions to the information obligation in specific circumstances. For example, where the controller has implemented appropriate technical and organisational measures to exclude any harm.

Finally, paragraph 4 authorises the SA to require the controller to inform the data subjects about a personal data breach in case it did not already did so. Also, the SA might decide that one of the exemptions of Article 34(3) are applicable.

EDPB Guidelines:

(1) Communication of a personal data breach to the data subject

Article 34(1) GDPR obliges the controller to communicate, without undue delay, the personal data breach to data subjects when the breach is likely to result in a high risk to the rights and freedoms of natural persons. This means that not all personal data breaches have to be communicated to the data subjects - not even all personal data breaches have to be reported to the SA under Article 33 GDPR.

This provision carries both theoretical and practical importance. On one hand, it acknowledges the individual's subjective right to be informed about the (failed) security of their personal data. On the other hand, it enables data subjects to make strategic choices to safeguard their personal sphere.

For example: After learning about a personal data breach involving its phone number, a data subject could swith number or pay more attention when they are contacted in a suspicious way. Similarly, a data subject might decide to close their account with its bank and look for a more secure financial institution after a personal data breach shows significant vulnerabilities of the bank's security measures. Further, a data subject might just block their credit card after learning that it has been compromised in a personal data breach.

Personal data breach

The obligation to notify data subjects of a personal data breach stipulated in this provision refers to the notion of a personal data breach defined in Article 4(12) GDPR, i.e. “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. For more information, see commentary on Article 4(12) GDPR. However, as mentioned above, the obligation to communicate the personal data breach to data subjects only arises where there is a high risk to the rights and freedoms of natural persons, likely resulting from the personal data breach (see below).^[3]

Is likely to result in a high risk to the rights and freedoms of natural persons

Article 34(1) GDPR differs in an important respect from the obligation to notify the SA about a personal data breach in accordance with Article 33 GDPR. Instead of having to notify the SA of a breach that leads to any kind of risk to data subjects, the controller only has the obligation to communicate a personal data breach to data subjects where it is likely to lead to a high risk to the rights and freedoms of natural persons. The threshold for communicating the breach to data subjects concerned is therefore higher than in Article 33 GDPR.^[4] In any event, the controller needs to perform an assessment considering the risks for data subjects resulting from the personal data breach. For this risk assessment (consideration of the likelihood and severity of the impact of the personal data breach on the rights and freedoms of the data subjects) and the factors to consider, see commentary on Article 33(1) GDPR.

"[...] This risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss and damage to reputation. When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions and offences or related security measures, such damage should be considered likely to occur."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 102.

Examples of "high risk" situations include, inter alia, a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).^[5]

The fact that controllers only have to communicate personal data breaches likely resulting in a high risks to natural persons should strike a balance between the controllers interest not to notify data subjects (often customers or business partners) about circumstances that might very well be harmful for their reputation and not overloading data subjects with too much information about only limited risks on the one hand with the necessity to give data subjects the ability to take measures to reduce harm that might result from a personal data breach on the other side.^[6]

Controllers might be incentivised to perform this assessment in a way that shows no high risk for data subjects in order to avoid the communication stipulated in this provision. Therefore, the SA has the authority to require the controller to communicate the personal data breach to the affected data subjects.^[7]

The controller

The obligation set forth in this provision addresses controllers as defined in Article 4(7) GDPR. Please see the commentary on Article 33(1) GDPR on this point including notes on joint-controllership, the relationship with processors and with manufacturers.

Its worth highlighting that the processor's obligation in Article 33(2) GDPR to notify controllers “without undue delay” in case they identify a personal data breach is also essential for the controller's obligation to notify data subjects under this provision (see commentary on Article 33(1) and (2) GDPR). However, the processor is neither obliged to communicate the personal data breach to data subjects, nor supposed to assess the risk to the rights and freedoms of natural persons; this is the obligation of the controller.^[8]

Shall communicate [the breach] to the data subject

The affected data subjects should be directly notified of the relevant breach by the controller. When communicating a breach to data subjects, dedicated messages should be utilised, separate from regular updates, newsletters, or standard messages. Otherwise the affected data subjects might not realise the relevance of the communication which should be a clear and transparent communication of the personal data breach.^[9] Recital 86 states in this regard that the communication to the data subjects should "describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects".

In case a direct notification to the affected data subjects would involve an disproportionate effort, the communication of a personal data breach could also be done via public communication or similar measures, ensuring that data subjects are informed in an equally effective manner (see exemption in Article 34(3)(c) GDPR below).^[10]

"Examples of transparent communication methods include direct messaging (e.g. email, SMS, direct message), prominent website banners or notification, postal communications and prominent advertisements in print media. A notification solely confined within a press release or corporate blog would not be an effective means of communicating a breach to an individual. The EDPB recommends that controllers should choose a means that maximizes the chance of properly communicating information to all affected individuals. Depending on the circumstances, this may mean the controller employs several methods of communication, as opposed to using a single contact channel."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 90.

Controllers will generally be in the best position to determine the most suitable contact channel and method for communicating a breach to individuals, especially if they have regular interactions with their customers. However, it is crucial for controllers to exercise caution when selecting a contact channel, as using a channel compromised by the breach could potentially enable attackers to impersonate the controller.^[11]

The communication should take place in a language understand by the data subjects. This could be the language in which the previous communication with the data subject took place or the local national language of the data subjects. It could be appropriate to provide the communication in various languages.^[12]

In some cases, it might also be appropriate for the controller to consult the SA regarding the communication to data subjects about a personal data breach as well as how to formulate an appropriate message and what the most appropriate way would be to contact the affected natural persons.^[13] This could be the case if the controller is unable to assess whether the personal data breach will likely result in a high risk for the rights and freedoms of natural persons.^[14] Moreover, according to Recital 88, the legitimate interests of law-enforcement authorities is also something to consider in case the early disclosure of a personal data breach could unnecessarily hamper investigations connected to the breach.^[15]

"Whenever it is not possible for the controller to communicate a breach to an individual because there is insufficient data stored to contact the individual, in that particular circumstance the controller should inform the individual as soon as it is reasonably feasible to do so (e.g. when an individual exercises their Article 15 right to access personal data and provides the controller with necessary additional
information to contact them)."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 96.

Without undue delay

Article 34(1) GDPR stipulates that controllers must notify data subjects of a data breach “without undue delay” - in other words, given the likelihood of high risks for the data subject (see above), as soon as possible, considering that such a communication should enable data subjects to take individual steps to protect themselves from any negative consequences of the breach of their personal data.^[16] However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR; nevertheless, for more information on the term "without undue delay" also compare commentary on Article 33 GDPR. Instead, timelines should be assessed depending on the nature and gravity of the breach itself, the level of risk to natural persons and the need to implement appropriate technical and organisational measures before the communication; e.g. Recital 86 GDPR provides examples of issues to take into account when assessing the timeliness of a notification to data subjects: “the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.”

Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach.^[17]

(2) Minimal requirements for the controller's communication to the data subject

The communication to the data subjects should enable them to take any steps to protect themselves.^[18] Article 34(2) GDPR therefore requires that the communication to the data subject (Article 34(1) GDPR) must contain a description in clear and plain language of the nature of the breach as well as the elements outlined in Article 33(3)(b)-(d) GDPR. Namely, the name and contact details of the data protection officer or other contact point where more information can be obtained; the likely consequences of the data breach; and the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Describe in clear and plain language

This wording is already used in Article 12(1) GDPR requiring controllers to provide any communication under Articles 13 to 22 and 34 "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child". Due to the use of the term "clear and in plain language", reference can be made to this provision which is also directly applicable to the communication to affected data subjects under this provision. See therefore commentary on Article 12(1) GDPR. Regarding the language the controller should use for the communication, see commentary on Article 34(1) GDPR above.

(a) Nature of the personal breach

See commentary on Article 33(3) GDPR which already describes the controller's obligation to provide the SA with "the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned". However, it should be noted that the additional elements mentioned there are not required in the communication to the data subjects under Article 34(2) GDPR. This is a reasonable choice since, generally, data subjects do not need to know these specific details in order to make informed decisions regarding the breach.^[19]

(b) Point of contact

Article 34(2) GDPR provides for the obligation to include information about the name and contact details of the data protection officer or other contact point where more information can be obtained by referencing to Article 33(3)(a) GDPR. See, therefore, commentary on Article 33(3)(a) GDPR.

In case of the communication to the affected data subject, special consideration should be given to the urgent nature of the communication - considering that it is mandatory only in cases of "high risk" to the data subject. The contact point for data subject should therefore be easily and directly reachable. Consequently, obstructive methods that, for example, require the requester to navigate complex online systems to establish contact are not permissible at this stage. In such cases, an email address seems more appropriate.

(c) Consequence of the breach

Again, reference can be made to commentary on the provision in Article 33(3)(c) GDPR. However, it should be recalled that the communication to the data subject has to use clear and plain language. The use of examples and accessible terminology allows the data subject to immediately understand the risks they are facing and the most appropriate actions to take.

For example: An e-commerce platform experiences a cyber attack resulting in the disclosure of user passwords on the web. The communication under Article 34 GDPR should explain to the user, in clear and plain language, that, due to the breach, it will be necessary to change their service password and ensure that the same value is not used to access other services. In such case, the user should be advised to change those passwords as well to prevent further unauthorised access.

(d) Measures taken or proposed

Also regarding the description of measures taken or proposed to be taken by the controller to address the personal data breach (including, where appropriate, measures to mitigate its possible adverse effects), reference can be made to the commentary on Article 33(3)(d) GDPR. It should be considered, however, that the information on measures to mitigate the potential adverse effects will probably be especially important for the affected data subjects.

Additional information

As indicated by the phrase “at least” found under Article 34(2) GDPR, this list of information to be provided to data subjects is non-exhaustive. Recital 86 GDPR outlines that the controller “should” provide “recommendations for the natural person concerned to mitigate potential adverse effects”. The information given to data subjects should therefore enable them to take any “necessary precautions”, which, although not directly mentioned by Article 33(3)(b)-(d) GDPR could be shared as additional information by the controller

(3) Exemptions from the obligation to communicate to the data subject

Article 34(3) GDPR lists three exemptions from the controller’s obligation to communicate the breach to data subjects. It should be noted that, as per the accountability principle, controllers are required to provide evidence to the SA to demonstrate the applicability of one or more of the specified conditions if they rely upon them. The EDPB also notes that, although the communication may not be immediately necessary (if there is no risk to the rights and freedoms of individuals), the situation may evolve over time, and the risk assessment would need to be reassessed accordingly.^[20]

"If a controller decides not to communicate a breach to the individual, Article 34(4) GDPR explains that the supervisory authority can require it to do so, if it considers the breach is likely to result in a high risk to individuals. Alternatively, it may consider that the conditions in Article 34(3) GDPR have been met in which case notification to individuals is not required. If the supervisory authority determines that the decision not to notify data subjects is not well founded, it may consider employing its available powers and sanctions"

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 99.

(a) The controller has applied “appropriate technical and organisational protection measures”

The first exception from the obligation to communicate a personal data breach to the affected data subjects is applicable if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach. This provision specifically mentions measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.

In other word, the exception applies if, prior to the breach, the controller had implemented suitable technical and organizational measures to safeguard the personal data. In particular, these measures aim to make the personal data incomprehensible to unauthorized individuals. One effective approach is the use of pseudonymisation, advanced encryption techniques or tokenisation to protect the personal data. These security measures ensure that even if the data is accessed unlawfully, it remains unintelligible and therefore protected.^[21]

Since effective pseudonymisation can mitigate adverse effects of data breaches, it may also be considered when assessing the obligations a controller has under Art. 33 and 34 GDPR. In particular, it may be regarded as an appropriate technical and organisational measure that limits the impact of a personal data breach in the sense of Art. 34(3)(a) GDPR. However, the content of data that was accessed without authorisation can still be analysed by the actor who accessed it.
Careful analysis is required in this case to establish whether the pseudonymisation has reduced the risks resulting from the data breach sufficiently to render communication of the breach to the affected data subjects unnecessary, Art. 34(1) and (3) GDPR.

EDPB, ‘Guidelines 1/2025 on Pseudonymisation’, 16 January 2025 (Version for public consultation), margin number 62.

For example: An unauthorised person got access to a device where highly sensitive personal data are stored. However, the content of such a device in encrypted. Therefore, even if a data breach occurred theoretically entailing high risks for data subject, the obligation under Article 34(1) is not triggered, as the authorised party will not be able to make use of the data obtained.

(b) The controller takes “subsequent measures” that diminish the likelihood of a high risk

The second exception applies in case the controller has taken subsequent measures ensuring that the high risk to the rights and freedoms of the data subjects is no longer likely to materialise.

“Subsequent” measures should therefore be interpreted as measures, adopted immediately following a personal data breach, which are able to mitigate the likelihood of the high risk to individuals' rights and freedoms from materialising. For instance, in certain situations, the controller may have promptly identified and addressed the unauthorized access to personal data, preventing any further misuse. However, it is essential to consider the potential consequences of a breach of confidentiality, taking into account the nature of the data involved.^[22]

In addition, it must be stressed that after a risk actually materialised, the controller can no longer invoke subsequent measures to avoid communication to the data subject. Even if subsequent measures could mitigate damages and reduce further risks, the controller is no longer in the position to evaluate what kind of negative consequences could stem from the original data breach. Therefore, a communication to the people concerned is the most effective way to prevent an even greater impact on their rights and freedoms.^[23]

(c) The communication would demand a disproportionate effort from the controller

The last exception in this provision applies if the communication of the personal data breach would involve a disproportionate effort. In that case, the controller must instead make a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

In other words, in cases where notifying the data subject would require a disproportionate effort, the controller is not obligated to inform the individual. The concept of "disproportionate effort" is not explicitly defined in the GDPR. However, it is understood that the effort involved in notifying data subjects relates to the scope of the breach, particularly the number of individuals affected. As the number of affected individuals increases, the communication process becomes proportionally more complex. Nevertheless, since this exception should be interpreted restrictively, the notion of disproportionate effort should be evaluated in relation to the size of the organisation and the availability of technical tools for conducting notifications. In other words, a large-scale controller will be expected to allocate greater resources, including the adoption of electronic communication tools capable of handling the notification burden. In such cases, the effort required cannot be deemed "disproportionate".^[24] If the effort is in fact "disproportionate", an alternative obligation exists, namely the requirement to publicly disclose the breach, which should be equally effective in ensuring transparency and accountability. The EDPB suggests that “technical arrangements” could nonetheless be taken to ensure that data subjects can access further information upon request.^[25]

Other exemptions

It is important to highlight that according to Article 23 GDPR, Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR.

(4) Involvement of the supervisory authority

As mentioned previously, Article 34(4) GDPR authorises the SA to require the controller to communicate a personal data breach to the affected data subjects in case the controller did not already do so. Moreover, the SA might also decide that any of the conditions listed in Article 33(3) GDPR are met which means that no communication of the personal data breach is necessary.

In that regard, it should be recalled that the threshold triggering the communication of a personal data breach to the affected data subjects under Article 34 GDPR is higher than for the notification obligation to the SA under Article 33 GDPR. Therefore, in all cases where a communication to the affected data subjects is necessary, the notification to the SA is also necessary. Thus, since the SA should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the SA can play a determinative role in indicating that there is a “high risk” to the rights and freedoms of natural persons.

It should also be noted that the SA can also provide advice to the controller. This advice can relate to the assessment of the risk to the data subjects or on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.^[26]

Not already communicated the breach to the data subject

Obviously, this provision only applies in situations in which the controller did not already communicate the breach to the affected data subjects. However, it is questionable to what extent the authority could use its power to require the controller to communicate a personal data breach to the affected data subjects in cases where it considers a prior communication of the controller to be incomplete or insufficient. It would make sense for the SA to also require improved communication in those cases.

The supervisory authority

While Article 33(1) GDPR specifically mentions the SA competent in accordance with Article 55 GDPR regarding the controller's notification obligation, Article 34(4) GDPR only mentions the SA. However, it is reasonable to consider this provision referring to the SA which got notified under Article 33(1) GDPR.

Having considered the likelihood of the breach resulting in a high risk

In order for the SA to use its power to request the controller to communicate a personal data breach to the affected data subjects, it must consider the likelihood of the data breach resulting in a high risk. Therefore, it can correct a faulty risk assessment by the controller in case the controller came to the conclusion that no high risk for the rights and freedoms of the data subjects are likely to result from the personal data breach.^[27]

May require [the controller] to do so

In such case, the authority can instruct the controller to communicate the breach to the affected data subjects.

"[...] If the supervisory authority determines that the decision not to notify data subjects is not well founded, it may consider employing its available powers and sanctions."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 99.

However, the SA is not authorised under this provision to communicate the personal data breach to the affected data subjects directly.^[28]

May decide that [exemptions] are met

The SA can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller of its obligation to communicate the personal data breach to affected individuals. This can be very helpful for a controller who is uncertain whether or not one of the exceptions might apply.

For example: The notification of the affected data subjects could involve a significant effort and the controller could be uncertain if this could already be considered a disproportionate effort and a public communication of the personal data breach would suffice. A decision by the SA might help to provide the controller with clearity.

Decisions

→ You can find all related decisions in Category:Article 34 GDPR

References

↑ There was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Article 17 thereof only required controllers to take adequate measures to protect personal data from breaches. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 1 (C.H. Beck 2024, 4th Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition) with further reference.
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), Annex B (available here).
↑ Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition) with further references.
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition).
↑ Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 7 (C.H. Beck 2024, 4th Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 et seq (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 92 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 91 (available here).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 94 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available here).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 83 (available here); in contrast, Recital 86 states that this communication "should be made as soon as reasonably feasible".
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available here).
↑ Recital 86 GDPR: “The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions”.
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 11 (C.H. Beck 2024, 4th Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 98 (available here).
↑ The encryption must be "state-of-the-art". See, EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 15 (C.H. Beck 2024, 4th Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin number 16 (C.H. Beck 2025, 2nd Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 94 (available here).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 17 (NOMOS 2025, 2nd Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 16 (C.H. Beck 2024, 4th Edition).

[1] There was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Article 17 thereof only required controllers to take adequate measures to protect personal data from breaches. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).

[2] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 1 (C.H. Beck 2024, 4th Edition).

[3] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).

[4] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition) with further reference.

[5] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), Annex B (available here).

[6] Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition) with further references.

[7] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition).

[8] Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 7 (C.H. Beck 2024, 4th Edition).

[9] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 et seq (available here).

[10] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 (available here).

[11] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 92 (available here).

[12] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 91 (available here).

[13] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 94 (available here).

[14] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).

[15] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available here).

[16] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 83 (available here); in contrast, Recital 86 states that this communication "should be made as soon as reasonably feasible".

[17] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available here).

[18] Recital 86 GDPR: “The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions”.

[19] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 11 (C.H. Beck 2024, 4th Edition).

[20] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 98 (available here).

[21] The encryption must be "state-of-the-art". See, EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).

[22] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).

[23] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 15 (C.H. Beck 2024, 4th Edition).

[24] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin number 16 (C.H. Beck 2025, 2nd Edition).

[25] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available here).

[26] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 94 (available here).

[27] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 17 (NOMOS 2025, 2nd Edition).

[28] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 16 (C.H. Beck 2024, 4th Edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

@@ Line 202: / Line 202: @@
 ==Relevant Recitals==
-{{Recital/87 GDPR}}
+{{Recital/86 GDPR}}{{Recital/87 GDPR}}
 {{Recital/88 GDPR}}
 ==Commentary==
-Article 34, paragraph 1, GDPR imposes a new<ref>As with that provision, there was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Additionally, Article 17 thereof was the only comparable provision, requiring controllers to take adequate measures to protect personal data from breaches.  ''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).</ref> obligation on the controller to inform affected data subjects of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons.<ref>This obligation to notify data subjects exists independently from any obligation to notify the relevant supervisory authority under [[Article 33 GDPR]].</ref> Paragraph 2 describes the linguistic requirements the information should have ("''clear and plain language''"), its purpose (describing the nature of the breach) and minimum content (contact points, consequences, actions taken or otherwise planned). Paragraph 3 rules out the information obligation. For example, the controller has implemented appropriate technical and organisational measures to exclude any harm, Finally, paragraph 4, describes the powers of the supervisory authority which may force the controller to inform the data subjects or, alternatively, exempt it from such action if one of the requirements stated in paragraph 3 is met.
+Article 34 GDPR implements the new<ref>There was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Article 17 thereof only required controllers to take adequate measures to protect personal data from breaches.  ''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).</ref> obligation of the controller to inform data subjects about a personal data breach (as defined in [[Article 4 GDPR|Article 4(12) GDPR]]) where it is likely to result in a high risk to the rights and freedoms of natural persons. This obligation to notify data subjects is therefore closely connected to and supplements the controller's independent obligation to notify the relevant supervisory authority ("SA") under [[Article 33 GDPR]]. See therefore also the Commentary on [[Article 33 GDPR]].<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 1 (C.H. Beck 2024, 4th Edition).</ref>
+As described there, Article [[Article 33 GDPR|33]] and 34 are also closely linked with Article 32 GDPR which obliges controllers as well as processors to implement appropriate security measures. Further, the assessment of whether a notification of the data subject is necessary (due to the resulting high risk to the rights and freedoms of the natural person) as well as the notification itself should be covered by the controllers respective policy (''Incident Response Plan'') as described in more detail in the commentary on [[Article 33 GDPR]].
+Paragraph 1 of this provision imposes an obligation on controllers to notify data subjects without undue delay about a personal data breach where such breach is likely to result in a high risk to the rights and freedoms of natural persons.
+Paragraph 2 describes linguistic requirements the information to the data subjects should have ("''clear and plain language''"), its purpose (describing "''the nature of the personal data breach''") and minimum content (contact points, consequences, actions taken or otherwise planned).
+Paragraph 3 provides for exceptions to the information obligation in specific circumstances. For example, where the controller has implemented appropriate technical and organisational measures to exclude any harm.
+Finally, paragraph 4 authorises the SA to require the controller to inform the data subjects about a personal data breach in case it did not already did so. Also, the SA might decide that one of the exemptions of Article 34(3) are applicable.
+EDPB Guidelines:
+* [https://www.edpb.europa.eu/system/files/2022-01/edpb_guidelines_012021_pdbnotification_adopted_en.pdf EDPB, 'Guidelines 01/2021 on Examples regarding Personal Data Breach Notification', 14 December 2021 (Version 2.0)]; and
+* [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0]).
 === (1) Communication of a personal data breach to the data subject ===
-Under Article 34(1) GDPR, the controller, without undue delay, communicates the personal data breach to data subjects when it is likely to result in a high risk to the rights and freedoms of natural persons.<ref>Hence, not all breaches must be communicated.</ref> This provision carries both theoretical and practical importance. On one hand, it acknowledges the individual's subjective right to be informed about the security of their personal data. On the other hand, it enables data subjects to make strategic choices to safeguard their personal sphere. For example, they may choose to close their account with the data controller due to inadequate security measures or block their credit card if it has been compromised in the breach.
+Article 34(1) GDPR obliges the controller to communicate, without undue delay, the personal data breach to data subjects when the breach is likely to result in a high risk to the rights and freedoms of natural persons. This means that not all personal data breaches have to be communicated to the data subjects - not even all personal data breaches have to be reported to the SA under Article 33 GDPR.
+This provision carries both theoretical and practical importance. On one hand, it acknowledges the individual's subjective right to be informed about the (failed) security of their personal data. On the other hand, it enables data subjects to make strategic choices to safeguard their personal sphere.
+{{Quote-example|After learning about a personal data breach involving its phone number, a data subject could swith number or pay more attention when they are contacted in a suspicious way. Similarly, a data subject might decide to close their account with its bank and look for a more secure financial institution after a personal data breach shows significant vulnerabilities of the bank's security measures. Further, a data subject might just block their credit card  after learning that it has been compromised in a personal data breach.}}
-==== When the personal data breach ====
+==== Personal data breach ====
-“''Personal data breach''” should be defined from the outset, before establishing the point at which a controller has a duty to notify the competent supervisory authority of such a breach.<ref>On this point,see [[Article 33 GDPR]].</ref>
+The obligation to notify data subjects of a personal data breach stipulated in this provision refers to the notion of a personal data breach defined in [[Article 4 GDPR|Article 4(12) GDPR]], i.e. “''a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed''”. For more information, see commentary on [[Article 4 GDPR|Article 4(12) GDPR]]. However, as mentioned above, the obligation to communicate the personal data breach to data subjects only arises where there is a high risk to the rights and freedoms of natural persons, likely resulting from the personal data breach (see below).<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).
+</ref>
 ==== Is likely to result in a high risk to the rights and freedoms of natural persons ====
-Article 34(1) GDPR differs from [[Article 33 GDPR]]. Instead of having to notify the supervisor authority of a breach that leads to any kind of risk to data subjects, the controller only has the obligation to communicate a breach to them where it may lead to a “''high'' ''risk to the rights and freedoms of natural persons''”. The threshold for communicating the breach to data subjects concerned is therefore higher than in Article 33 GDPR. This choice has been argued to be reasonable, as this higher threshold was deemed necessary to avoid data subjects to suffer from a “''fatigue''” caused by the receipt of warnings for every breach of the GDPR.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref> The controller has therefore to assess the level of risk which may ensue to data subjects as a result of a breach. According to the EDPB, whether a data breach creates a "''high risk''" should be assessed in light of the specific circumstances in each case. As with [[Article 33 GDPR]], this is an objective assessment conducted on the basis of the likelihood and severity of a negative impact on the rights and freedoms of natural persons. Examples of "''high risk''" situations include, ''inter alia'', a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 31 ff. (''Annex B'') (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> However, Bensoussan correctly suggests that the enforcement of Article 34 GDPR is likely to be difficult as the controller is the entity making the assessment of the level of the risk.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref>
+Article 34(1) GDPR differs in an important respect from the obligation to notify the SA about a personal data breach in accordance with [[Article 33 GDPR]]. Instead of having to notify the SA of a breach that leads to ''any kind of risk'' to data subjects, the controller only has the obligation to communicate a personal data breach to data subjects where it is likely to lead to a ''high'' ''risk to the rights and freedoms of natural persons''. The threshold for communicating the breach to data subjects concerned is therefore higher than in [[Article 33 GDPR]].<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition) with further reference.</ref> In any event, the controller needs to perform an assessment considering the risks for data subjects resulting from the personal data breach. For this risk assessment (consideration of the likelihood and severity of the impact of the personal data breach on the rights and freedoms of the data subjects) and the factors to consider, see commentary on [[Article 33 GDPR|Article 33(1) GDPR]].
+{{Quote-EDPB|"[...] This risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data have been breached. Examples of such damage are discrimination, identity theft or fraud, financial loss and damage to reputation. When the breach involves personal data that reveals racial or ethnic origin, political opinion, religion or philosophical beliefs, or trade union membership, or includes genetic data, data concerning health or data concerning sex life, or criminal convictions and offences or related security measures, such damage should be considered likely to occur."|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 102.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
+Examples of "''high risk''" situations include, ''inter alia'', a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).<ref>EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), Annex B (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
+The fact that controllers only have to communicate personal data breaches likely resulting in a high risks to natural persons should strike a balance between the controllers interest not to notify data subjects (often customers or business partners) about circumstances that might very well be harmful for their reputation and not overloading data subjects with too much information about only limited risks on the one hand with the necessity to give data subjects the ability to take measures to reduce harm that might result from a personal data breach on the other side.<ref>Compare ''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition) with further references.</ref>
+Controllers might be incentivised to perform this assessment in a way that shows no high risk for data subjects in order to avoid the communication stipulated in this provision. Therefore, the SA has the authority to require the controller to communicate the personal data breach to the affected data subjects.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition).</ref>
 ==== The controller ====
-The reporting obligation outlined in paragraph 1 applies to the data controller, encompassing both natural persons and public or non-public entities as defined in Article 4(7). In cases where multiple controllers jointly determine the purposes and means of processing as defined in Article 26 of the GDPR, each controller is responsible for reporting their own data breaches as well as those of the other controller(s). However, it is possible for the controllers to establish a different arrangement regarding the reporting obligations through an agreement on joint responsibility as required under Article 26(1) of the GDPR.
+The obligation set forth in this provision addresses controllers as defined in [[Article 4 GDPR|Article 4(7) GDPR]]. Please see the commentary on [[Article 33 GDPR|Article 33(1) GDPR]] on this point including notes on joint-controllership, the relationship with processors and with manufacturers.
+Its worth highlighting that the processor's obligation in [[Article 33 GDPR|Article 33(2) GDPR]] to notify controllers “''without undue delay''” in case they identify a personal data breach is also essential for the controller's obligation to notify data subjects under this provision (see commentary on [[Article 33 GDPR|Article 33(1) and (2) GDPR]]). However, the processor is neither obliged to communicate the personal data breach to data subjects, nor supposed to assess the risk to the rights and freedoms of natural persons; this is the obligation of the controller.<ref>Compare ''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 7 (C.H. Beck 2024, 4th Edition).</ref>
+==== Shall communicate [the breach] to the data subject ====
+The affected data subjects should be directly notified of the relevant breach by the controller. When communicating a breach to data subjects, dedicated messages should be utilised, separate from regular updates, newsletters, or standard messages. Otherwise the affected data subjects might not realise the relevance of the communication which should be a clear and transparent communication of the personal data breach.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 et seq (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref> Recital 86 states in this regard that the communication to the data subjects should "''describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects''".
-===== Implications for a data processor =====
+In case a direct notification to the affected data subjects would involve an ''disproportionate effort'', the communication of a personal data breach could also be done via public communication or similar measures, ensuring that data subjects are informed in an equally effective manner (see exemption in Article 34(3)(c) GDPR below).<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 88 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-There are no specific obligations imposed on processors relating to the communication of the breach to data subjects. Under [[Article 33 GDPR|Article 33(2) GDPR]], processors have to notify controllers “''without undue delay''” where they identify a personal data breach.<ref>See Commentary on [https://gdprhub.eu/Article%2033%20GDPR Article 33 GDPR].</ref> However, any additional obligation to notify data subjects of a “''high risk''” to their rights and freedoms only falls upon the controller. [[Article 28 GDPR|Article 28(3) GDPR]] nonetheless explains the role of processors in such situations. According to the provision, services provided to a controller by a processor must be “''governed by a contract or other legal act''”. In addition, [[Article 28 GDPR|Article 28(3)(f) GDPR]] specifically requires that this contract or legal act stipulate that the processor “''shall''” support the controller in ensuring compliance with obligations found under [[Article 32 GDPR|Article 32 to 36 GDPR]]. Thus, a contract between these parties can specify how the processor can support the controller in respecting the latter’s obligation to communicate the breach as per Article 34 GDPR.
+{{Quote-EDPB|"Examples of transparent communication methods include direct messaging (e.g. email, SMS, direct message), prominent website banners or notification, postal communications and prominent advertisements in print media. A notification solely confined within a press release or corporate blog would not be an effective means of communicating a breach to an individual. The EDPB recommends that controllers should choose a means that maximizes the chance of properly communicating information to all affected individuals. Depending on the circumstances, this may mean the controller employs several methods of communication, as opposed to using a single contact channel."|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 90.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
+Controllers will generally be in the best position to determine the most suitable contact channel and method for communicating a breach to individuals, especially if they have regular interactions with their customers. However, it is crucial for controllers to exercise caution when selecting a contact channel, as using a channel compromised by the breach could potentially enable attackers to impersonate the controller.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 92 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-==== Shall communicate the breach to the data subject ====
+The communication should take place in a language understand by the data subjects. This could be the language in which the previous communication with the data subject took place or the local national language of the data subjects. It could be appropriate to provide the communication in various languages.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 91 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-The affected data subjects should be directly notified of the relevant breach. When communicating a breach to data subjects, dedicated messages should be utilized, separate from regular updates, newsletters, or standard messages. This approach ensures clear and transparent communication of the breach. Transparent communication methods include direct messaging via email, SMS, or direct message, prominently displayed website banners or notifications, postal communications, and prominent advertisements in print media. It should be noted that issuing a notification solely through a press release or corporate blog would not effectively communicate the breach to individuals. Controllers are in the best position to determine the most suitable contact channel for communicating a breach to individuals, especially if they have regular interactions with their customers. However, it is crucial for controllers to exercise caution when selecting a contact channel, as using a channel compromised by the breach could potentially enable attackers to impersonate the controller.<ref>Controllers might therefore "''wish to contact and consult the supervisory authority not only to seek advice about informing data subjects about a breach in accordance with Article 34, but also on the appropriate messages to be sent to, and the most appropriate way to contact, individuals''." See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 21 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
+In some cases, it might also be appropriate for the controller to consult the SA regarding the communication to data subjects about a personal data breach as well as how to formulate an appropriate message and what the most appropriate way would be to contact the affected natural persons.<ref>EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 94 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> This could be the case if the controller is unable to assess whether the personal data breach will likely result in a high risk for the rights and freedoms of natural persons.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 5 (C.H. Beck 2024, 4th Edition).</ref> Moreover, according to Recital 88, the legitimate interests of law-enforcement authorities is also something to consider in case the early disclosure of a personal data breach could unnecessarily hamper investigations connected to the breach.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
+{{Quote-EDPB|"Whenever it is not possible for the controller to communicate a breach to an individual because there is insufficient data stored to contact the individual, in that particular circumstance the controller should inform the individual as soon as it is reasonably feasible to do so (e.g. when an individual exercises their Article 15 right to access personal data and provides the controller with necessary additional
+information to contact them)."|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 96.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
 ==== Without undue delay ====
-Another requirement established by Article 34(1) GDPR is that controllers must notify data subjects of a data breach “''without undue delay''” - in other words, given the likelyhood of high risks for the data subject (see above), as “''as soon as possible''”<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 20 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref> or “''as soon as reasonably feasible''” (within the meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in [[Article 33 GDPR]]. Instead, timelines will be assessed depending on the nature and gravity of the breach itself, as well as the level of risk to natural persons.<ref>See Recital 85.</ref> This is apparent from Recital 86 GDPR, which provides an example of a scenario where the timeliness condition will be different: “''the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.''” Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach. In this context, it is noteworthy that as there is not specific deadline of 72 hours, the question of when this time limit formally begins does not arise.<ref>See Article 33 for a discussion on the moment where a data controller becomes “''aware''” of a data breach, triggering the notification obligation.</ref>
+Article 34(1) GDPR stipulates that controllers must notify data subjects of a data breach “''without undue delay''” - in other words, given the likelihood of high risks for the data subject (see above), ''as soon as possible'', considering that such a communication should enable data subjects to take individual steps to protect themselves from any negative consequences of the breach of their personal data.<ref>EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 83 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]); in contrast, Recital 86 states that this communication "should be made as soon as reasonably feasible". </ref> However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in [[Article 33 GDPR]]; nevertheless, for more information on the term "without undue delay" also compare commentary on Article 33 GDPR. Instead, timelines should be assessed depending on the nature and gravity of the breach itself, the level of risk to natural persons and the need to implement appropriate technical and organisational measures before the communication; e.g. Recital 86 GDPR provides examples of issues to take into account when assessing the timeliness of a notification to data subjects: “''the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.''”
-=== (2) Minimal requirements of the controller's communication to the data subject===
+Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 95 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-The communication to the data subjects must enable them to take any steps to protect themselves.<ref>Recital 86 GDPR: “''The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions''”.</ref> and must contain a description in "''clear and plain language''" of the (a) “''nature''” of the breach<ref>Under Article 34(2) GDPR, controllers must use “''clear and plain language''” when explaining the "''nature''" of the breach to data subjects. At first look, this requirement does not seem to apply to the other elements included in the communication (contact points, consequences, actions taken or otherwise planned). Such conclusion must be rejected. First, it would not make much sense to explain the "''nature''" of the breach in "''clear and plain language''" and then rely on obscure and cryptic wording for describing, say, the mitigating measures taken or planned. Second, Article 12(1) GDPR expressly requires "''concise, transparent, intelligible and easily accessible form'', [as well as] ''clear and plain language''" for all communications to the data subject, including those foreseen in Article 34 GDPR. Hence, all the elements included in the communication must be expressed in clear and plain language, taking into account the other requirements set forth in Article 12 GDPR. ''Dix'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 8-9 (C.H. Beck 2019).</ref> as well as the other elements outlined in [[Article 33 GDPR|Article 33(3)(b)-(d) GDPR]]. Namely, (b) the name and contact details of the data protection officer or other contact point where more information can be obtained; (c) the likely consequences of the data breach; and (d) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
+=== (2) Minimal requirements for the controller's communication to the data subject===
+The communication to the data subjects should enable them to take any steps to protect themselves.<ref>Recital 86 GDPR: “''The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions''”.</ref> Article 34(2) GDPR therefore requires that the communication to the data subject (Article 34(1) GDPR) must contain a description in ''clear and plain language'' of the ''nature'' of the breach as well as the elements outlined in [[Article 33 GDPR|Article 33(3)(b)-(d) GDPR]]. Namely, the name and contact details of the data protection officer or other contact point where more information can be obtained; the likely consequences of the data breach; and the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
+==== Describe in clear and plain language ====
+This wording is already used in [[Article 12 GDPR|Article 12(1) GDPR]] requiring controllers to provide any communication under Articles [[Article 13 GDPR|13]] to [[Article 22 GDPR|22]] and 34 "''in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child''". Due to the use of the term "clear and in plain language", reference can be made to this provision which is also directly applicable to the communication to affected data subjects under this provision. See therefore commentary on [[Article 12 GDPR|Article 12(1) GDPR]]. Regarding the language the controller should use for the communication, see commentary on Article 34(1) GDPR above.
 ==== (a) Nature of the personal breach ====
-The communication must describe the type of data breach occurred.<ref>To this extent, the EDPB outlines three distinct categories of personal data breaches. These include a “''confidentiality breach''”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “''integrity breach''”, where there is an unauthorised or accidental alteration of personal data; or an “''availability breach''”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "''nature''" of the personal data breach. See commentary under Article 33(3)(a) GDPR.</ref> It is interesting to note a distinction in relation to Article 33(3)(a) GDPR. Such provision requires the controller, in addition to describing the nature of the breach, to provide the SA with further details including the categories of data subjects, records involved, as well as their respective numbers. These additional elements are not required in the communication to the data subjects under Article 34(2) GDPR. This is a reasonable choice since, generally, data subjects do not need to know these specific details in order to make informed decisions regarding the breach.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref>
+See commentary on Article 33(3) GDPR which already describes the controller's obligation to provide the SA with "''the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned''". However, it should be noted that the additional elements mentioned there are not required in the communication to the data subjects under Article 34(2) GDPR. This is a reasonable choice since, generally, data subjects do not need to know these specific details in order to make informed decisions regarding the breach.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 11 (C.H. Beck 2024, 4th Edition).</ref>
 ==== (b) Point of contact ====
-The communication must include the contact details of the data protection officer or other contact point where further information can be obtained. Alternatively, the controller may provide details of a “''point of contact''” capable of sharing further information should the supervisory authority require it. The urgent nature of the communication - considering that it is mandatory only in cases of "high risk" to the data subject - requires that the contact point can be easily and directly reached. Consequently, obstructive methods that, for example, require the requester to navigate complex online systems to establish contact are not permissible at this stage. In such cases, an email address seems more appropriate.
+Article 34(2) GDPR provides for the obligation to include information about the name and contact details of the data protection officer or other contact point where more information can be obtained by referencing to Article 33(3)(a) GDPR. See, therefore, commentary on [[Article 33 GDPR|Article 33(3)(a) GDPR]].
+In case of the communication to the affected data subject, special consideration should be given to the urgent nature of the communication - considering that it is mandatory only in cases of "high risk" to the data subject. The contact point for data subject should therefore be easily and directly reachable. Consequently, obstructive methods that, for example, require the requester to navigate complex online systems to establish contact are not permissible at this stage. In such cases, an email address seems more appropriate.
 ==== (c) Consequence of the breach ====
-Generally, we refer to the comment made for Article 33(3)(c) of the GDPR. The communication shall use clear language and describe the likely consequences of the breach. The use of examples and accessible terminology allows the data subject to immediately understand the risks they are facing and the most appropriate actions to take.<blockquote><u>Example</u>: An e-commerce platform experences a cyber attack resulting in the disclosure of user passwords on the web. The communication under Article 34 GDPR should explain to the user, in clear and plain language, that, due to the breach, it will be necessary to change their service password and ensure that the same value is not used to access other services. In such case, the user should be advised to change those passwords as well to prevent further unauthorized access.</blockquote>
+Again, reference can be made to commentary on the provision in [[Article 33 GDPR|Article 33(3)(c) GDPR]]. However, it should be recalled that the communication to the data subject has to use clear and plain language. The use of examples and accessible terminology allows the data subject to immediately understand the risks they are facing and the most appropriate actions to take.<blockquote>{{Quote-example|An e-commerce platform experiences a cyber attack resulting in the disclosure of user passwords on the web. The communication under Article 34 GDPR should explain to the user, in clear and plain language, that, due to the breach, it will be necessary to change their service password and ensure that the same value is not used to access other services. In such case, the user should be advised to change those passwords as well to prevent further unauthorised access.}}</blockquote>
 ==== (d) Measures taken or proposed ====
-See comment under Article 33(3)(d) of the GDPR.
+Also regarding the description of measures taken or proposed to be taken by the controller to address the personal data breach (including, where appropriate, measures to mitigate its possible adverse effects), reference can be made to the commentary on [[Article 33 GDPR|Article 33(3)(d) GDPR]]. It should be considered, however, that the information on measures to mitigate the potential adverse effects will probably be especially important for the affected data subjects.
 ==== Additional information ====
@@ Line 247: / Line 293: @@
 === (3) Exemptions from the obligation to communicate to the data subject ===
-Article 34(3) GDPR lists three exemptions from the controller’s obligation to communicate the breach to data subjects. As per the accountability principle, controllers are required to provide evidence to the supervisory authority to demonstrate their compliance with one or more of the specified conditions.<ref>In our translation: "''Data controllers will have to be able to demonstrate to DPAs that any of these conditions applies''". See, ''Burton'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 662 (Oxford University Press 2020).</ref> The EDPB also notes that, athough the communication may not be immediately necessary (if there is no risk to the rights and freedoms of individuals), the situation may evolve over time, and the risk assessment would need to be reassessed accordingly.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
+Article 34(3) GDPR lists three exemptions from the controller’s obligation to communicate the breach to data subjects. It should be noted that, as per the accountability principle, controllers are required to provide evidence to the SA to demonstrate the applicability of one or more of the specified conditions if they rely upon them. The EDPB also notes that, although the communication may not be immediately necessary (if there is no risk to the rights and freedoms of individuals), the situation may evolve over time, and the risk assessment would need to be reassessed accordingly.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 98 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
-==== (a) The controller has applied “''appropriate technical and organisational protection measures''”. ====
+{{Quote-EDPB|"If a controller decides not to communicate a breach to the individual, Article 34(4) GDPR explains that the supervisory authority can require it to do so, if it considers the breach is likely to result in a high risk to individuals. Alternatively, it may consider that the conditions in Article 34(3) GDPR have been met in which case notification to individuals is not required. If the supervisory authority determines that the decision not to notify data subjects is not well founded, it may consider employing its available powers and sanctions"|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 99.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
-Prior to the breach, the controller had implemented suitable technical and organizational measures to safeguard personal data. In particular, these measures aim to make the personal data incomprehensible to unauthorized individuals. One effective approach is the use of advanced encryption techniques or tokenization to protect the personal data. These security measures ensure that even if the data is accessed unlawfully, it remains unintelligible and therefore protected.<ref>The encryption must be "state-of-the-art". See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref><blockquote><u>Example</u>: XXX. </blockquote>
+==== (a) The controller has applied “''appropriate technical and organisational protection measures''” ====
+The first exception from the obligation to communicate a personal data breach to the affected data subjects is applicable if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach. This provision specifically mentions measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.
+In other word, the exception applies if, ''prior to the breach'', the controller had implemented suitable technical and organizational measures to safeguard the personal data. In particular, these measures aim to make the personal data incomprehensible to unauthorized individuals. One effective approach is the use of pseudonymisation, advanced encryption techniques or tokenisation to protect the personal data. These security measures ensure that even if the data is accessed unlawfully, it remains unintelligible and therefore protected.<ref>The encryption must be "state-of-the-art". See, EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
+{{Quote-EDPB|Since effective pseudonymisation can mitigate adverse effects of data breaches, it may also be considered when assessing the obligations a controller has under Art. 33 and 34 GDPR. In particular, it may be regarded as an appropriate technical and organisational measure that limits the impact of a personal data breach in the sense of Art. 34(3)(a) GDPR. However, the content of data that was accessed without authorisation can still be analysed by the actor who accessed it.
+Careful analysis is required in this case to establish whether the pseudonymisation has reduced the risks resulting from the data breach sufficiently to render communication of the breach to the affected data subjects unnecessary, Art. 34(1) and (3) GDPR.|EDPB, ‘Guidelines 1/2025 on Pseudonymisation’, 16 January 2025 (Version for public consultation), margin number 62.|4=https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en}}{{Quote-example|An unauthorised person got access to a device where highly sensitive personal data are stored. However, the content of such a device in encrypted. Therefore, even if a data breach occurred theoretically entailing high risks for data subject, the obligation under Article 34(1) is not triggered, as the authorised party will not be able to make use of the data obtained.}}
 ==== (b) The controller takes “''subsequent measures''” that diminish the likelihood of a high risk ====
-“''Subsequent''” measures should be interpreted as measures, adopted immediately following a breach, which are able to mitigate the likelihood of the high risk to individuals' rights and freedoms from materializing. For instance, in certain situations, the controller may have promptly identified and addressed the unauthorized access to personal data, preventing any further misuse. However, it is essential to consider the potential consequences of a breach of confidentiality, taking into account the nature of the data involved.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
+The second exception applies in case the controller has taken ''subsequent measures'' ensuring that the high risk to the rights and freedoms of the data subjects is no longer likely to materialise.
+“''Subsequent''” measures should therefore be interpreted as measures, adopted immediately following a personal data breach, which are able to mitigate the likelihood of the high risk to individuals' rights and freedoms from materialising. For instance, in certain situations, the controller may have promptly identified and addressed the unauthorized access to personal data, preventing any further misuse. However, it is essential to consider the potential consequences of a breach of confidentiality, taking into account the nature of the data involved.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
+In addition, it must be stressed that after a risk actually materialised, the controller can no longer invoke subsequent measures to avoid communication to the data subject. Even if subsequent measures could mitigate damages and reduce further risks, the controller is no longer in the position to evaluate what kind of negative consequences could stem from the original data breach. Therefore, a communication to the people concerned is the most effective way to prevent an even greater impact on their rights and freedoms.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 15 (C.H. Beck 2024, 4th Edition).</ref>
-==== (c) The communication would demand a disproportionate effort from the controller. ====
+==== (c) The communication would demand a disproportionate effort from the controller ====
-Under Article 34(3)(c) GDPR, in cases where notifying the data subject would require a disproportionate effort, the controller is not obligated to inform the individual. The concept of "''disproportionate effort''" is not explicitly defined in the GDPR. However, it is understood that the effort involved in notifying data subjects relates to the scope of the breach, particularly the number of individuals affected. As the number of affected individuals increases, the communication process becomes more complex proportionally. Nevertheless, since this exception should be interpreted restrictively, the notion of disproportionate effort should be evaluated in relation to the size of the organization and the availability of technical tools for conducting notifications. In other words, a large-scale controller will be expected to allocate greater resources, including the adoption of electronic communication tools capable of handling the notification burden. In such cases, the effort required cannot be deemed "disproportionate".<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin number 16 (C.H. Beck 2019).</ref> If the effort is in fact "''disproportionate''", an alternative obligation exists, namely the requirement to publicly disclose the breach, which should be equally effective in ensuring transparency and accountability. The EDPB suggests that “''technical arrangements''” could nonetheless be taken to ensure that data subjects can access further information upon request.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 22 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
+The last exception in this provision applies if the communication of the personal data breach would involve a disproportionate effort. In that case, the controller must instead make a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
+In other words, in cases where notifying the data subject would require a disproportionate effort, the controller is not obligated to inform the individual. The concept of "''disproportionate effort''" is not explicitly defined in the GDPR. However, it is understood that the effort involved in notifying data subjects relates to the scope of the breach, particularly the number of individuals affected. As the number of affected individuals increases, the communication process becomes proportionally more complex. Nevertheless, since this exception should be interpreted restrictively, the notion of disproportionate effort should be evaluated in relation to the size of the organisation and the availability of technical tools for conducting notifications. In other words, a large-scale controller will be expected to allocate greater resources, including the adoption of electronic communication tools capable of handling the notification burden. In such cases, the effort required cannot be deemed "disproportionate".<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin number 16 (C.H. Beck 2025, 2nd Edition).</ref> If the effort is in fact "''disproportionate''", an alternative obligation exists, namely the requirement to publicly disclose the breach, which should be equally effective in ensuring transparency and accountability. The EDPB suggests that “''technical arrangements''” could nonetheless be taken to ensure that data subjects can access further information upon request.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 97 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
 ==== Other exemptions ====
-It is important to highlight that according to [[Article 23 GDPR]], Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR. As a result, several Member States have adopted their own rules on communicating a breach to affected data subjects. Further, Recital 86 GDPR provides that the obligation imposed controllers to communicate the breach to data subjects may be affected by the guidance of a Member State’s law-enforcement authority. Recital 88 GDPR goes on to mention that rules and procedures on notification should “''take into account the legitimate interest of law enforcement authorities''” to ensure that disclosure does not hinder any ongoing investigation of the data breach. However, it should be noted that Recital 88 GDPR refers to “''notification''” and not “''communication''”.
+It is important to highlight that according to [[Article 23 GDPR]], Union or Member State law may restrict the obligations and rights outlined in Article 34 GDPR.
 === (4) Involvement of the supervisory authority ===
-As mentioned previously, the threshold of risk to trigger Article 34 GDPR is higher than in [[Article 33 GDPR]]. It is possible to deduce from this condition that wherever controllers have an obligation to communicate a data breach to data subjects under Article 34 GDPR, they will already have notified the relevant supervisory authority in accordance with [[Article 33 GDPR|Article 33(1) GDPR]].<ref>Notifying the relevant supervisory is an obligation under Article 33 GDPR in cases of a “''risk''”, not just in cases of a “''high risk''”.</ref> Thus, since the supervisory authority should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the SA can play a determinative role in indicating that there is a “''high risk''” to the rights and freedoms of natural persons. In such case, the authority can instruct the controller to communicate the breach to the affected data subjects. The supervisory authority can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller from its obligation to communicate the personal data breach to affected individuals. Finally, the supervisory authority’s involvement can include the provision of advice to the controller. This advice can relate to the assessment of the risk to the data subjects. For example, the French DPA (CNIL) provides a tool to help controllers assess the gravity of personal data breaches.<ref>''Bensoussan'', Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).</ref> The relevant supervisory authority can also provide advice on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.<ref>EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 21 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en here]).</ref>
+As mentioned previously, Article 34(4) GDPR authorises the SA to require the controller to communicate a personal data breach to the affected data subjects in case the controller did not already do so. Moreover, the SA might also decide that any of the conditions listed in Article 33(3) GDPR are met which means that no communication of the personal data breach is necessary.
+In that regard, it should be recalled that the threshold triggering the communication of a personal data breach to the affected data subjects under Article 34 GDPR is higher than for the notification obligation to the SA under [[Article 33 GDPR]]. Therefore, in all cases where a communication to the affected data subjects is necessary, the notification to the SA is also necessary. Thus, since the SA should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the SA can play a determinative role in indicating that there is a “''high risk''” to the rights and freedoms of natural persons.
+It should also be noted that the SA can also provide advice to the controller. This advice can relate to the assessment of the risk to the data subjects or on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.<ref>EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 94 (available [https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf here]).</ref>
+==== Not already communicated the breach to the data subject ====
+Obviously, this provision only applies in situations in which the controller did not already communicate the breach to the affected data subjects. However, it is questionable to what extent the authority could use its power to require the controller to communicate a personal data breach to the affected data subjects in cases where it considers a prior communication of the controller to be incomplete or insufficient. It would make sense for the SA to also require improved communication in those cases.
+==== The supervisory authority ====
+While [[Article 33 GDPR|Article 33(1) GDPR]] specifically mentions the SA competent in accordance with [[Article 55 GDPR]] regarding the controller's notification obligation, Article 34(4) GDPR only mentions the SA. However, it is reasonable to consider this provision referring to the SA which got notified under Article 33(1) GDPR.
+==== Having considered the likelihood of the breach resulting in a high risk ====
+In order for the SA to use its power to request the controller to communicate a personal data breach to the affected data subjects, it must consider the likelihood of the data breach resulting in a high risk. Therefore, it can correct a faulty risk assessment by the controller in case the controller came to the conclusion that no high risk for the rights and freedoms of the data subjects are likely to result from the personal data breach.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 17 (NOMOS 2025, 2nd Edition).</ref>
+==== May require [the controller] to do so ====
+In such case, the authority can instruct the controller to communicate the breach to the affected data subjects.
+{{Quote-EDPB|"[...] If the supervisory authority determines that the decision not to notify data subjects is not well founded, it may consider employing its available powers and sanctions."|EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 99.|4=https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf}}
+However, the SA is not authorised under this provision to communicate the personal data breach to the affected data subjects directly.<ref>''Jandt'', in Kühling, Buchner, DS-GVO BDSG, Article 34 GDPR, margin number 16 (C.H. Beck 2024, 4th Edition).</ref>
+==== May decide that [exemptions] are met ====
+The SA can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller of its obligation to communicate the personal data breach to affected individuals. This can be very helpful for a controller who is uncertain whether or not one of the exceptions might apply.
+{{Quote-example|The notification of the affected data subjects could involve a significant effort and the controller could be uncertain if this could already be considered a disproportionate effort and a public communication of the personal data breach would suffice. A decision by the SA might help to provide the controller with clearity.}}
 ==Decisions==
 → You can find all related decisions in [[:Category:Article 34 GDPR]]