Article 33 GDPR
Legal Text
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
3. The notification referred to in paragraph 1 shall at least:
- (a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- (b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- (c) describe the likely consequences of the personal data breach;
- (d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
Relevant Recitals
Commentary
Article 33 GDPR imposes an obligation on controllers to notify the competent supervisory authority of a personal data breach without undue delay where is likely to result in a risk to the rights and freedoms of natural persons. It lays out a non-exhaustive list of information that must be provided to the supervisory authority and outlines obligations imposed on processors in such a scenario.
There was no equivalent to Article 33 GDPR under the Data Protection Directive 95/46/EC. Indeed, Article 17 of the Directive only required controllers to take adequate measures to protect personal data from breaches.[1] However, Member States such as Germany[2] as well as Spain[3] provided for a similar obligation under their national law.[4]
According to Bensoussan, the drafting of Article 33 GDPR drew inspiration from Article 4 ePrivacy Directive 2002/58/EC. The latter imposes a notification obligation on providers of electronic communication services. However, unlike Article 33 GDPR, the ePrivacy Directive imposes a broader obligation on electronic communication services as they must notify authorities of all breaches rather than only those which pose a risk to natural persons. Article 33 GDPR imposes an obligation on controllers to notify the competent supervisory authority of a personal data breach without undue delay where is likely to result in a risk to the rights and freedoms of natural persons. It lays out a non-exhaustive list of information that must be provided to the supervisory authority and outlines obligations imposed on processors in such a
scenario. [5]
EDPB Guidelines: on this Article, please see Guidelines 9/2022 on personal data breach notification under GDPR
(1) Data Controller Action in the Event of a Personal Data Breach
First, it is important to define the notion of “personal data breach” before assessing when a controller’s duty to notify the competent supervisory authority of such a breach arises.
WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 7 (available here).
“Personal Data Breach”
According to Article 4(12) GDPR, a personal data breach refers to “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The Article 29 Working Party Guidelines on Personal data breach notification under Regulation 2016/679 provide further guidance on the matter. They clarify that personal data breaches are types of “security incidents”. This indicates that whilst all personal data breaches are security incidents, not all security incidents are personal data breaches.[6]
Article 4(12) GDPR outlines that there is a personal data breach where there is: (1) a “breach of security”; (2) leading to the “accidental”, “unlawful” or “unauthorised”; (3) “destruction”, “loss”, “alteration”, “disclosure of”, or “access to”; and (4) “personal data transmitted, stored or otherwise processed”. This division in four parts rather than three,[7] emphasises that the breach can be accidental, unlawful or unauthorised and that it relates to previously processed personal data.
The WP29 outlines three distinct categories of personal data breaches. These include a “confidentiality breach”, where personal data is disclosed accidentally or without authorisation; an “integrity breach”, where personal data is altered accidentally or without authorisation; or an “availability breach”, where access to personal data or the personal data itself is destroyed accidentally or without authorisation. It is possible for a breach to be a combination of all three types.[8]
Article 33(1) GDPR outlines that controllers have an obligation to notify the competent supervisory authority of personal data breach once they have become aware of it.
Awareness of a Data Breach
Article 33(1) GDPR establishes an obligation to notify the relevant supervisory authority once the controller becomes “aware” of a personal data breach. According to the WP29 Notification Guidelines, awareness entails having “reasonable degree of certainty that a security incident has occurred which has led to personal data being compromised”. This definition suggests a high threshold to prove awareness, as it must be established that the controller has “reasonable certainty”. Accordingly, there is a distinction between awareness as defined by WP29 and being informed of a potential breach.[9] Whilst being informed of a potential breach does not amount to “awareness”, it does trigger an obligation on the controller to investigate further to determine (i.e., to gain "awareness") whether a breach of personal data has occurred.[10]
Condition of “Risk”
The obligation to notify the competent supervisory authority of a personal data breach is only triggered where the breach is likely to “result in a risk to the rights and freedoms of natural persons”. The controller must therefore ascertain whether a “risk” is likely to result from a personal data breach upon becoming aware of it.
The GDPR does not define what constitutes a “risk to the rights and freedoms of natural persons”. Recital 75 GDPR only outlines potential situations where such a risk is likely to materialise, such as in cases of identity theft, data subjects’ loss of control over their personal data or where they are unable to exercise related rights amongst other situations.[11] Some of these are reiterated in Recital 85 GDPR, which relates more directly to Article 33 GDPR. Although Recital 85 GDPR labels these as “physical, material or non-material damage to natural persons” rather than “risk”, Recital 75 GDPR does equate likelihood of “physical, material or non-material damage” to a “risk”.
It is noteworthy that Article 33(1) GDPR stipulates that the controller must assess the risk to “natural persons” rather than just “data subjects”. This suggests that the meaning of “risk” must be interpreted broadly and as affecting natural persons generally rather than just specific data subjects.
Likelihood and Severity of Risk
The WP29 Notification Guidelines attempt to go beyond the GDPR to provide further guidance on how to assess the risk. The Guidelines highlight that controllers must objectively consider the likelihood and severity (as also mentioned in Recital 75 GDPR) of the impact of the breach on rights and freedoms. They also outline that the controller should consider: (i) the category in which the breach falls); (ii) the quantity and sensitivity of personal data; (iii) how easily individuals can be identified; (iv) how serious the consequences of the breach are to individuals; (v) whether individuals affected are particularly vulnerable; (vi) whether the controller has a particular role that may entail a higher risk (e.g. a health-related controller); and (vii) the size of the breach in terms of numbers of individuals affected. It is important to emphasise that only the likelihood of a risk is required to trigger the notification obligation. Thus, controllers do not need to be certain that a breach has occurred before taking further steps to comply with Article 33 GDPR.[12]
Notifying the Competent Supervisory Authority without Undue Delay
Once the controller has become aware of a personal data breach likely to “result in a risk to the rights and freedoms of natural persons”, Article 33(1) GDPR stipulates that it must notify the “supervisory authority competent in accordance with Article 55”, which in turn provides further clarity as to which authority must be notified. As per Recital 87 GDPR, the supervisory authority may then intervene “in accordance with its tasks and powers” under Articles 55 to 59 GDPR.
Notifying without undue delay: general “72 hours” rule
Notifying the relevant supervisory authority must occur “without undue delay” from the moment controllers become “aware” of a personal data breach with the relevant level of risk. According to Recital 87 GDPR, the assessment of whether the controller acted without undue delay “should [take] into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects”. Although this suggests that the qualifier “without undue delay” is circumstance-specific, Article 33(1) GDPR provides a general rule to satisfy this obligation: “where feasible”, the controller must notify the relevant authority within a maximum of 72 hours. It is crucial that controllers comply with this deadline, as its core purpose is to limit the damage to natural persons affected by the data breach.[13]
Notifying without Undue Delay: After 72 hours
Article 33(1) GDPR only requires controllers to notify the competent supervisory authority within 72 hours “where feasible”. This suggests that, in some instances, they can take longer than 72 hours to do so. Additionally, the final sentence of Article 33(1) GDPR stipulates that if a controller fails to notify the supervisory authority within 72 hours, it shall provide “reasons”. This further indicates that, in some cases, taking longer than 72 hours to notify the relevant supervisory authority is permissible under the GDPR.[14] Recital 88 provides an example of such a scenario. Where a rapid notification would “hamper” an investigation conducted by law enforcement authorities, the controller has a valid reason for not complying with the general deadline in Article 33(1) GDPR.[15] It would presumably not be in breach of Article 33 GDPR in that case. Regardless of whether the delayed notification is justified or not, the controller must provide an explanation outlining why notifying the relevant authorities within 72 hours was not feasible (Article 33(1) GDPR).
Implications of Satisfying the Time Conditions
It is relevant to note that the speed at which a controller notified the supervisory authority of a breach was a factor considered by the French DPA (CNIL) when assessing the level of a fine it sought to impose on a controller for the data breach.[16] As a result of this decision, it is arguable that a timely response may be used to mitigate a fine. Conversely, a controller is deemed to have violated its obligations under Article 33 GDPR where it does not notify the competent supervisory authority “without undue delay”.[17] This would amount to a punishable breach of the Article and may justify imposing a greater fine on the controller.
(2) Data Processors Action in the Event of a Personal Data Breach
Article 33(2) GDPR outlines that data processors have an obligation to notify the data controller of a personal data breach once it has become aware of it.
Awareness
Article 33(2) GDPR instructs processors to notify controllers once they become “aware” of a personal data breach. The GDPR does not elaborate much on this provision, but the definition of “aware” likely reflects its meaning under Article 33(1) GDPR.
Notifying the Data Controller without Undue Delay
According to Article 33(2) GDPR, the processor has the obligation to notify the controller, rather than the competent supervisory authority, of a data breach it is made aware of. It is relevant to note that the controller will become “aware” of the breach as soon as the processor notifies it of a breach.[18] This duty to notify the controller falls in line with other obligations imposed by the GDPR on processors. Article 33(2) GDPR provides further guidance into the relationship between a controller and processor. Article 28(3) GDPR is helpful to understand the duty to notify pursuant to Article 33(2) GDPR. Services provided to a controller by a processor must be “governed by a contract or other legal act […]” according to Article 28(3) GDPR. In addition, Article 28(3)(f) GDPR specifically requires that this contract or legal act stipulate that the processor “shall” support the controller in ensuring compliance with obligations found under Article 32 to 36 GDPR. Thus, a contract between the controller and processor will specify how the obligation found within Article 33(2) GDPR must be complied with. It possible for the controller to stipulate within its contract with the processor that the latter must notify the supervisory authority directly in the event of a breach. However, the WP29 Notification Guidelines state that the legal responsibility to notify the relevant DPA will remain with the controller regardless of such a contract.[19]
Risk of the Breach
Article 33(2) GDPR does not require the processor to assess the likelihood of the risk to the rights and freedoms of natural persons. Instead, it appears that the processor must report any personal data breach to the controller. The latter will then assess the risk and notify the supervisory authority should the required threshold be met.[20] Again, the controller can impose a contractual obligation on the processor to assess the risk level pursuant to Article 28(3) GDPR. The legal responsibility will nonetheless ultimately remain with the controller.
Timing Condition
Article 33(2) GDPR does not set a deadline other than “without undue delay”, but the WP29 recommends that the processor must do so “promptly”. The contract between the controller and the processor pursuant to Article 28(3) GDPR may stipulate a specific time frame in which the processor must notify the controller.[21]
(3) Details of the Notification.
Article 33(3) GDPR provides a list of details that the controller must include in a notification to a supervisory authority. It is important to note that the phrase “shall at least” is used. Therefore, although the notification must include the elements enumerated from Article 33(3)(a) to (d) GDPR, the controller may provide further information to the competent supervisory authority.
Nature of the Breach
According to Article 33(3)(a) GDPR, the controller must “describe the nature of the personal data breach” to the supervisory authority. This must include the categories and approximate number of data subjects concerned as well as the categories and approximate number of personal data records concerned. The GDPR does not provide additional information as to what these “categories” mean in this context. However, the WP29 suggests that this may be an attempt to identify various types of individuals at risk of damage caused by the data breach,[22] as well as different types of records processed by the controller.[23] The WP29 Notification Guidelines further clarify that controllers should not rely on the absence of specific numbers of data subject or personal data records concerned as a reason to evade its obligation to notify the competent supervisory authority. Instead, the controller can provide approximate numbers.[24]
Point of Contact
Article 33(3)(b) GDPR requires the notification to the supervisory authority to include the details of a point of contact, allowing the supervisory authority to request further information should where needed carry out an investigation. The provision specifies that the name and contact details of the controller’s data protection officer are required. Alternatively, the controller may provide details of a “point of contact” capable of sharing further information should the supervisory authority require it.
Consequence of the Breach
Article 33(3)(c) GDPR requires the controller to describe the “likely consequences” of the data breach in its notification to the supervisory authority. It is important to note that such consequences do not need to have materialised at that point. Although Recital 87 GDPR seems to distinguish the “consequences” of a breach from its “adverse effects”, it is argued that the latter can be viewed as a subcategory of the former. Thus, controllers should consider the potential adverse effects listed in Recital 85 GDPR, which enumerates various examples of “physical, material or non-material damage to natural persons” caused by a personal data breach.[25]
Measures Taken or Proposed
Finally, Article 33(3)(d) GDPR stipulates that the controller must outline any measures it has taken or plans to take to respond to the personal data breach. The controller must also describe the measures taken or planned to mitigate possible adverse effects.
Additional Details
As mentioned, the controller can provide further information than that required pursuant to Article 33(3)(a) to (d) GDPR. It is important to note that Recital 88 GDPR indicates that the “rules concerning format and procedures applicable to the notification of personal data breaches” depend on the particular circumstances of each breach.[26] Any additional information that should be provided will therefore differ according to each breach. An example of such information was provided by the WP29, which suggested that the controller can name the processor responsible for the personal data breach. This may help other controllers, which rely on services provided by the same processor, to take necessary measures against additional personal data breaches.
(4) Notifying without Undue Delay: Notification in Phases
There are also circumstances where the controller can only notify the competent authority in phases. This option, outlined in Article 33(4) GDPR, is only permissible “in so far as, it is not possible to provide the information at the same time”. Again, this should occur “without undue further delay”. The WP29 additionally recommended that the controller should also provide reasons as to why it had notified the supervisory authority in phases. In any case, the possibility of notifying the supervisory authority in phases should not become common practice for controllers.[27]
(5) Obligation to Document the Breach
Article 33(5) GDPR requires controllers to always document personal data breaches they are made aware of. The documentation must include: the facts of the breach; the effects it has; and the remedial action taken by the controller. It is important to note that this applies to “all” breaches, regardless of the potential risk to the rights and freedoms of natural persons. This obligation is linked to the accountability principle under Article 5(2) GDPR.[28] Whilst this documentation exists to help the supervisory authority in its duties, it can also benefit the controller itself. Indeed, it may rely on it to justify its decision not to notify the supervisory authority of a breach where it considers that there is no likely risk.
Decisions
→ You can find all related decisions in Category:Article 33 GDPR
References
- ↑ Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 642 (Oxford University Press 2020).
- ↑ Section 42(a) German Federal Data Protection Act 2017.
- ↑ Article 88 Spanish Data Protection Law 2007 (available here).
- ↑ Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 643 (Oxford University Press 2020).
- ↑ Bensoussan, Reglement europeen sur la protection des donnees, p. 250 (Bruylant 2017).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 7 (available here).
- ↑ Tosoni, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 4(12) GDPR, p. 191 (Oxford University Press 2020).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, pp. 7-8 (available here).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 11 (available here).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 11 (available here).
- ↑ See Recital 75 above for more examples.
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, pp. 24-26 (available here).
- ↑ See Recital 85.
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 16 (available here).
- ↑ See Recital 88, which stipulates that “[…] rules and procedures [concerning the format and procedures applicable to the notification of personal data breaches] should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach”.
- ↑ CNIL Delieration SAN-2017-010, 18 July 2017 (available here).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 27 (available here).
- ↑ Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 647 (Oxford University Press 2020).
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, pp. 13-14 (available here).
- ↑ In compliance with its own data controller obligations pursuant to Article 33(1) GDPR.
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 14 (available here).
- ↑ E.g. “children” would be a type of individuals compared to “employees” as another type.
- ↑ E.g. “health” would be a type of personal data records compared to “financial details” as another type.
- ↑ See WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 14 (available here).
- ↑ “[…] loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage […]”
- ↑ See Recital 88 “In setting detailed rules concerning format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. […].”
- ↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 16 (available here).
- ↑ Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 649 (Oxford University Press 2020).