Article 33 GDPR

← Article 33 - Notification of a personal data breach to the supervisory authority →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 33 - Notification of a personal data breach to the supervisory authority

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3. The notification referred to in paragraph 1 shall at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Relevant Recitals

Recital 85: Notification Reasons and Timeframe

A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

Recital 88: Notification Rules and Procedures

In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

Commentary

Article 33 GDPR regulates the controller and processor's obligations in case of a personal data breach (as defined in Article 4(12) GDPR).^[1] Specifically this provision provides for the controller's obligation to notify the supervisory authority ("SA") about personal data breaches. This obligations is therefore closely related to the parallel obligation in Article 34 GDPR to notify data subjects of a personal data breach. It is also closely connected to Article 32 GDPR which obliges controllers and processors to implement technical and organisational measures ensuring an appropriate risk and should therefore prevent personal data breaches in the first place and also make sure that personal data breaches are detected as early as possible.

The obligations in connection with the notification of the SA are manifestations of the transparency principle (Article 5(1)(a) GDPR) as well as the accountability principle (Article 5(2) GDPR) since it obliges the controller to be transparent with the SA regarding its deficiencies. At the same time, this obligation can be expected to have a preventive function as controllers may try to avoid notifying SAs about their shortcomings regarding the security of processing of personal data.^[2] All this is also the case in connection with the obligation to notify data subjects provided by Article 34 GDPR.

In order to ensure the controller's capacity to investigate personal data breaches in time and to notify the SA without undue delay, the controller should implement appropriate procedures and train its employees. Such a procedure is regularly referred to as Incident Response Plan and includes topics like internal responsibilities and departments to which incidents should be reported internally, templates for the investigation and notifications to the SA as well as data subjects and how personal data breaches should be documented.^[3] Ideally, the Incident Response Plan should also provide for a mechanism in order to assess the the risks to the rights and freedoms of the data subjects. Obviously, this procedure should also cover the notification to data subjects under Article 34 GDPR.

Paragraph 1 imposes an obligation on controllers to notify the competent SA of a personal data breach without undue delay (not later than 72 hours) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Paragraph 2 imposes a corresponding obligation on the processor, with the only difference being that the recipient of the notification should be the controller.

Paragraph 3 lays out a non-exhaustive list of information that must be provided to the SA.

Paragraph 4 grants controllers the possibility of sharing details about the breach in different phases when all the information cannot be provided at the same time.

Finally, under paragraph 5, and in line with the accountability principle, the controller must document any data breach including the facts, effects, and the remedial action taken.

EDPB Guidelines:

(1) Controller's notification in the event of a personal data breach

Article 33(1) GDPR introduces the controller's obligation to notify the SA without undue delay and, where feasible, not later than 72 hours in case of a personal data breach. This provision also provides for an exception from this obligation in case the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. In case the notification is not possible within 72 hours, the controller has to include the reason for this delay in the notification to the SA.

The notification of a data breach serves several purposes. Primarily it should make the SA aware of the personal data breach and enable it to assess the personal data breach for itself.^[4] By establishing contact with the SA, it also allows controllers to identify potential solutions and, if necessary, receive instructions on how to inform the affected data subjects. The EDPB emphasizes that a data breach is ultimately a matter of data security directly affecting the data subjects' interests. Therefore, it is essentially a measure aimed at protecting individual interests. However, failure to report a breach to a SA (or a data subject - see Article 34 GDPR) is subject to sanctions under Article 83 GDPR.^[5]

It should be recalled that according to Article 32 GDPR, both controllers and processors are obligated to implement suitable technical and organisational measures to ensure an adequate level of security in relation to the risks associated with the processing of personal data. These measures should consider factors such as the current state of technology, the implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of individuals. Furthermore, the GDPR mandates the implementation of appropriate technological and organisational measures to promptly detect and determine whether a personal data breach has occurred. The occurrence of a breach triggers the notification obligation.^[6]

In case of personal data breach

The notification obligation stipulated in this provision refers to the notion of a personal data breach defined in Article 4(12) GDPR, i.e. “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. For more information, see commentary on Article 4(12) GDPR.

The controller

The reporting obligation outlined in Article 33(1) GDPR applies to the data controller, encompassing both natural persons and public or non-public entities as defined in Article 4(7) GDPR. In cases where multiple controllers jointly determine the purposes and means of processing as defined in Article 26 GDPR, each controller is responsible for reporting their own data breaches as well as those of the other controller(s). However, it is possible for the controllers to establish a different arrangement regarding the reporting obligations through an agreement on joint responsibility as required under Article 26(1) GDPR.^[7]

The obligation in Article 33(1) GDPR does not address a processor of the controller. However, according to Article 33(2) GDPR, the processor has to inform the controller in case they become aware of a personal data breach (see commentary on paragraph 2).^[8]

Notably, the GDPR imposes no obligation on manufacturers of hard or software to inform SAs about (potential) personal data breaches.^[9]

After having become aware

Article 33(1) GDPR outlines that controllers have an obligation to notify the competent SA of a personal data breach once they have become "aware" of it.

"[A] controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 31.

It is not necessary that the controller has absolute certainty about the occurrence of a personal data breach; a reasonable degree is sufficient.^[10] Therefore, a controller does not have to notify the SA of a mere suspicion that a personal data breach might occurred.^[11]

In certain cases, the occurrence of personal data breach may be evident from the beginning, while in other instances, it may take some time until a controller can be reasonable certain. Nevertheless, the focus should be on promptly initiating an investigation into the incident to determine if there has been a breach of personal data. If a breach is confirmed, appropriate remedial actions should be taken, and if necessary, notifications should be provided without delay. As recalled above, the GDPR requires the controller to implement all appropriate technical protection and organisational measures to establish immediately whether a breach has taken place and to inform promptly the supervisory authority and the data subjects.^[12]

After first being informed of a potential breach by an individual, a media organisation, or another source, or when it has itself detected a security incident, the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation the controller may not be regarded as being “aware”. However, it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place; a more detailed investigation can then follow.

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 34.

The EDPB's approach regarding the term "being aware" suggests a rather high threshold to prove awareness, as it must be established that the controller has “reasonable certainty”. Accordingly, there is a distinction between awareness as defined by the EDPB and being informed of a potential breach. Whilst being informed of a potential breach does not amount to “awareness”, it does trigger an obligation on the controller to investigate further to determine (i.e., to gain "awareness") whether a breach of personal data has occurred.^[13]

However, it is important to emphasise that once the controller has reasonably established that a breach has occurred and the conditions specified in Article 33(1) of the GDPR have been met, they must promptly notify the SA, preferably within 72 hours, unless there are exceptional circumstances. Failure to act in a timely manner and subsequently failing to notify the SA of a confirmed breach could be considered a violation of the notification requirement outlined in Article 33 of the GDPR.^[14]

There is some debate around the question of whether the knowledge of the controller's processor is also attributable to the controller, i.e. if the controller should be considered aware, at the time the processor becomes aware of a personal data breach. According to the EDPB, this is not the case and the controller can only be considered aware of the personal data breach once it is informed by the processor or it becomes aware by other means.^[15]

Shall notify the breach to the supervisory authority

Once the controller has become aware of a personal data breach likely to “result in a risk to the rights and freedoms of natural persons” (see below), it must notify the SA competent in accordance with Article 55 GDPR.^[16] However, where there is cross-border processing under Article 56 GDPR, the competent SA for the notification is the one of the main establishment or of the single establishment of the controller or processor.^[17]

"This means that whenever a breach takes place in the context of cross-border processing and notification is required, the controller will need to notify the lead supervisory authority. Therefore, when drafting its breach response plan, a controller must make an assessment as to which supervisory authority is the lead supervisory authority that it will need to notify. This will allow the controller to respond promptly to a breach and to meet its obligations in respect of Article 33. It should be clear that in the event of a breach involving cross-border processing, notification must be made to the lead supervisory authority, which is not necessarily where the affected data subjects are located, or indeed where the breach has taken place. When notifying the lead authority, the controller should indicate, where appropriate, whether the breach involves establishments located in other Member States, and in which Member States data subjects are likely to have been affected by the breach. If the controller has any doubt as to the identity of the lead supervisory authority then it should, at a minimum, notify the local supervisory authority where the breach has taken place"

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 69 footnotes omitted.

If a controller who is not established in the Union but falls under the scope of Article 3(2) or Article 3(3) GDPR experiences a personal data breach, they are still obligated to fulfill the notification requirements outlined in Articles 33 and 34 of the GDPR. In such cases, the controller is required to notify each SA in the Member State where affected data subjects reside.^[18]

It is worth recalling that in the handling of a data breach, a controller should not only consider the notification of the competent SA in accordance with this provision, but also the notification of affected data subjects (Article 34 GDPR). Further, it can be reasonable to also inform processors involved, business partners or other stakeholder even if such obligation is not directly stipulated in the GDPR.

It is questionable what consequences a notification to a SA has, that is not the competent one and whether the SA would be obliged to forward the notification to another SA or at least notify the controller of any doubts regarding its competence.^[19]

Without undue delay, no later than 72 hours

Notifying the relevant SA must occur “without undue delay” from the moment controllers become “aware” of a personal data breach and unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subjects. The notification of the SA has to happen without undue delay and, where feasible, not later than 72 hours after the controller became aware of it. It is crucial that controllers comply with this deadline, as its core purpose is to limit the damage to natural persons affected by the data breach.^[20]

According to Recital 87 GDPR, the assessment of whether the controller acted without undue delay “should [take] into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects”. Although this suggests that the qualifier “without undue delay” is circumstance-specific, Article 33(1) GDPR provides a general rule to satisfy this obligation: “where feasible”, the controller must notify the relevant authority within a maximum of 72 hours. This suggests that, in some instances, they can take longer than 72 hours to do so. In that case, the controller has to provide the SA with the reasons for the delay (see below).

"Such a scenario might take place where, for example, a controller experiences multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way. A controller could become aware of a breach and, whilst beginning its investigation, and before notification, detect further similar breaches, which have different causes. Depending on the circumstances, it may take the controller some time to establish the extent of the breaches and, rather than notify each breach individually, the controller instead organises a meaningful notification that represents several very similar breaches, with possible different causes. This could lead to notification to the supervisory authority being delayed by more than 72 hours after the controller first becomes aware of these breaches."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 63.

Notification of data breaches is sometimes disregarded by controllers, since it could trigger an investigation by the competent SA, especially with regard to controller's duties pursuant to Article 32 GDPR. However, it must be considered that the controller's inactivity could also lead to sanctions, including fines pursuant to Article 83(4)(a) GDPR.

Unless the breach is unlikely to result in a risk

The obligation to notify the competent SA of a personal data breach is not triggered where the breach is "unlikely to result in a risk to the rights and freedoms of natural persons”. The GDPR does not define what constitutes a “risk to the rights and freedoms of natural persons”.^[21] Recital 75 GDPR only outlines potential situations where such a risk is likely to materialise, such as in cases of identity theft, data subjects’ loss of control over their personal data or where they are unable to exercise related rights, amongst other situations.^[22] Some of these are reiterated in Recital 85 GDPR, which labels these as “physical, material or non-material damage to natural persons”.^[23]

"This means that immediately upon becoming aware of a breach, it is vitally important that the controller should not only seek to contain the incident but it should also assess the risk that could result from it. There are two important reasons for this: firstly, knowing the likelihood and the potential severity of the impact on the individual will help the controller to take effective steps to contain and address the breach; secondly, it will help it to determine whether notification is required to the supervisory authority and, if necessary, to the individuals concerned."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 101.

That said, controllers must objectively consider the likelihood and severity of the impact of the breach on rights and freedoms by taking into account the following:

Type of breach: For instance, a breach of confidentiality in which unauthorised parties gain access to medical information may have different consequences for an individual compared to a breach where an individual's medical details have been lost and are no longer accessible.^[24]
Nature, sensitivity, and volume of personal data: Typically, the level of risk to individuals affected increases with the sensitivity of the data involved. Breaches that involve health data, identity documents, or financial information like credit card details have the potential to cause harm individually. However, when these types of data are used together, they can increase the risk of identity theft. The combination of multiple personal data elements is generally more sensitive and poses a greater risk than a single piece of personal data. However, it is important to consider other personal data that may already be accessible about the data subject. For instance, the disclosure of an individual's name and address under normal circumstances is unlikely to result in significant harm. However, if the name and address of an adoptive parent are disclosed to a birth parent, the consequences could be extremely severe for both the adoptive parent and the child.^[25] In any case, it is not necessary that special categories of data are involved in order to be a risk for the rights and freedoms of natural persons.^[26]
How easily individuals can be identified: The breached data can potentially enable direct or indirect identification, although the likelihood may vary depending on the specific circumstances of the breach and the public availability of related personal information. This aspect becomes particularly significant in the context of breaches affecting confidentiality and availability of data.^[27]
How serious the consequences of the breach are to individuals: When breaches involve certain categories of personal data, the potential harm to individuals can be particularly severe. This is especially true when the breach has the potential to lead to identity theft or fraud, physical harm, psychological distress, humiliation, or damage to reputation. Additionally, if the breached data pertains to vulnerable individuals, they may be at an even greater risk of experiencing harm.^[28]
Whether individuals affected are particularly vulnerable: For example children or other individuals who may be subject to greater risk.^[29]
Whether the controller has a particular role that may entail a higher risk: For example, a medical organisation which processes special categories of personal data.^[30]
The size of the breach in terms of numbers of individuals affected: The impact of a breach can vary depending on the number of individuals affected, ranging from just a few to potentially thousands or more. While it is generally true that a larger number of affected individuals can lead to a greater overall impact, it is important to recognize that even a breach affecting a single individual can have severe consequences. The extent of the impact depends on factors such as the nature of the compromised personal data and the specific circumstances surrounding the breach. Assessing the likelihood and severity of the impact on those affected is crucial in evaluating the significance of a breach.^[31]

Hence, when assessing the risk associated with a breach, the controller must consider both the potential severity of the impact on individuals' rights and freedoms and the likelihood of such impacts occurring. It is crucial to evaluate these factors together to determine the overall risk level. If the consequences of a breach are particularly severe, the risk level increases. Likewise, if the likelihood of those consequences happening is higher, the risk level is also elevated. In cases where there is uncertainty or doubt, it is recommended that the controller errs on the side of caution and proceeds with notification. Annex B of the Guidelines on data breach provides valuable examples of different breach scenarios that entail risks or high risks to individuals.^[32]

"[I]f personal data have been made essentially unintelligible to unauthorised parties and where the data are a copy or a backup exists, a confidentiality breach involving properly encrypted personal data may not need to be notified to the supervisory authority. This is because such a breach is unlikely to pose a risk to individuals’ rights and freedoms."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 78.

For example: "A breach that would not require notification to the supervisory authority would be the loss of a securely encrypted mobile device, utilised by the controller and its staff. Provided the encryption key remains within the secure possession of the controller and this is not the sole copy of the personal data then the personal data would be inaccessible to an attacker. This means the breach is unlikely to result in a risk to the rights and freedoms of the data subjects in question. If it later becomes evident that the encryption key was compromised or that the encryption software or algorithm is vulnerable, then the risk to the rights and freedoms of natural persons will change and thus notification may now be required."^[33]

Reasons for delay in case notification is not made in 72 hours

According to the last sentence of Article 33(1) GDPR, the controller must provide the SA with the reasons for the delay together with the notification, if the controller was not able to make the notification withing 72 hours. In other words, the controller must provide an explanation outlining why notifying the relevant authorities within 72 hours was not feasible.

This provision does not contain any requirements for the justification of the delay; however, the reasons should be more detailed in cases with severe personal data breaches or longer delays. Purely personal reasons of the controller (e.g. sickness or vacation of people involved in the notification or investigation process) will not be sufficient since the controller's technical and organisational measures should provide for such eventualities.^[34]

"Such a scenario might take place where, for example, a controller experiences multiple, similar confidentiality breaches over a short period of time, affecting large numbers of data subjects in the same way. A controller could become aware of a breach and, whilst beginning its investigation, and before notification, detect further similar breaches, which have different causes. Depending on the circumstances, it may take the controller some time to establish the extent of the breaches and, rather than notify each breach individually, the controller instead organises a meaningful notification that represents several very similar breaches, with possible different causes. This could lead to notification to the supervisory authority being delayed by more than 72 hours after the controller first becomes aware of these breaches"

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 63.

However, whenever possible, the controller should make use of the possibility to notify in phases (see Article 33(4) GDPR) instead of not notifying the SA at all in the first 72 hours after becoming aware of the personal data breach.

(2) Processor's notification in the event of a personal data breach

The controller bears the ultimate responsibility for safeguarding personal data, but the processor plays a crucial role in enabling the controller to fulfill its obligations. In case personal data processed by the processor is affected by a personal data breach in the sphere of the processor, it is likely that only the processor has the necessary knowledge to detect (and further investigate) a data breach. In other cases, the processor might just become aware of a personal data breach earlier than the controller.^[35] Regarding the notification of a personal data breach, Article 33(2) of the GDPR clarifies that when the processor becomes aware of a breach concerning the personal data it processes on behalf of the controller, it must promptly notify the latter.

Article 33(2) GDPR does not require the processor to assess the likelihood of the risk to the rights and freedoms of natural persons.^[36] Instead, the processor must report any personal data breach to the controller. The latter will then assess the risk and, according to the criteria established in Article 33(1), possibly notify the SA, should the required threshold be met. The controller can impose a contractual obligation on the processor to assess the risk level pursuant to Article 28(3) GDPR. The legal responsibility will nonetheless ultimately remain with the controller.^[37]

It should also be recalled that in accordance with Article 28(3)(f) GDPR the processing agreement between the controller and the processor must include the processor's obligation to assist the controller in ensuring compliance with Article 33 GDPR.^[38] However, the obligation under this provision is independent from the conclusion of a processing agreement.^[39]

The processor

The recipient of the provision is the processor (Article 4(8) GDPR) appointed under Article 28 of the GDPR.

After becoming aware of the breach

Article 33(2) GDPR instructs processors to notify controllers once they become “aware” of a personal data breach. The GDPR does not elaborate much on this provision, but the definition of “aware” likely reflects its meaning under Article 33(1) GDPR (see above).

Shall notify the data controller

According to Article 33(2) GDPR, the processor has the obligation to notify the controller of a data breach it becomes aware of. There is no obligation of the processor to notify the competent SA. This obligations exists in parallel of the processor's (contractual) obligation to assist the controller under Article 28(3)(f) GDPR, "in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor."

The contract between controller and processor should further specify how the obligation under Article 33(2) GDPR must be complied with. It is possible for the controller to stipulate within its contract with the processor that the latter must notify the SA directly in the event of a breach. The contract between the controller and the processor pursuant to Article 28(3) GDPR may also stipulate a specific time frame in which the processor must notify the controller. However, the legal responsibility to notify the relevant SA will remain with the controller regardless of such a contract, which exclusively regulates obligations between private subjects.^[40]

Without undue delay

The contribution of the processor is essential for the controller to fulfill its responsibility for the notification procedure to the SA, as stipulated in Article 33(1) GDPR. The longer the processor delays the notification, the shorter the time the controller has to comply with its notification duties under Article 33(1) GDPR.^[41] The breach notification by the processor must occur "without undue delay". In other words, the controller must be immediately informed, without any specific maximum time limit of 72 hours in this situation.^[42]

"The GDPR does not provide an explicit time limit within which the processor must alert the controller, except that it must do so “without undue delay”. Therefore, the EDPB recommends the processor promptly notifies the controller, with further information about the breach provided in phases as more details become available. This is important in order to help the controller to meet the requirement of notification to the supervisory authority within 72 hours."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 45.

(3) Minimal requirements of the controller's notification.

Article 33(3) GDPR provides a list of details that the controller must include in a notification to a SA. The phrase “shall at least” indicates that the notification must include the elements enumerated from Article 33(3)(a) to (d) GDPR, but the controller may provide further information. With this information, the SA should be capable to assess the personal data breach on its own.^[43]

This list includes the following elements:

(a) Nature of the breach, categories of data subjects and data, numbers

According to Article 33(3)(a) GDPR, the controller must describe (i) the nature of the personal data breach to the SA, including, where possible, the categories of (ii) data subjects and (iii) data records concerned, as well as their (iv) respective approximate numbers. In other words, the notification should address the qualitative (nature and categories) and quantitative (numbers) aspects of the data breach, with regard to both the objective (data) and the subjective elements (data subjects).

(i) Nature of the personal breach

As mentioned above, the EDPB outlines three distinct categories of personal data breaches. These include a “confidentiality breach”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “integrity breach”, where there is an unauthorised or accidental alteration of personal data; or an “availability breach”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "nature" of the personal data breach.^[44]

(ii) Categories of data subjects

The GDPR does not provide additional information as to what “categories of data subjects” mean in this context. The EDPB suggests a flexible approach, inspired by the actual objective of the notification, which is primarily to mitigate harm to the rights of the individuals affected. In other words, this information should describe the type of individuals involved such as children, vulnerable groups, people with disabilities, employees or customers. A data breach involving personal data related to the health of underage users, for instance, necessitates significantly different actions compared to the disclosure of email addresses.^[45]

(iii) Categories of data records

This refers to the different types of records that the controller may process, such as health data, educational records, social care information, financial details, bank account numbers, passport numbers and so on.^[46]

(iv) Numbers of data subjects and records concerned

The numbers should be as specific as possible. However, in situations where precise information is unavailable, such as the exact number of affected data subjects or records, it should not hinder the timely notification of a breach. The GDPR permits the use of approximations when determining the number of individuals impacted and the number of personal data records involved. The emphasis should be on addressing the negative consequences of the breach rather than solely providing precise figures. To guarantee both effectiveness and preciseness, the controller can carry out a notification in phases under Article 33(4) GDPR (see below).^[47]

"Recital 85 GDPR makes it clear that one of the purposes of notification is limiting damage to individuals. Accordingly, if the types of data subjects or the types of personal data indicate a risk of particular damage occurring as a result of a breach (e.g. identity theft, fraud, financial loss, threat to professional secrecy), then it is important the notification indicates these categories. In this way, it is linked to the requirement of describing the likely consequences of the breach."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 51.

(b) Point of contact

Under Article 33(3)(b) GDPR, the SA must be given the contact details of the data protection officer or other contact point where further information can be obtained. The name and contact details of the controller’s data protection officer are therefore required. In the absence of a DPO, the controller may provide details of a “point of contact” capable of sharing further information should the SA require it.^[48]

(c) Consequence of the breach

Article 33(3)(c) GDPR requires the controller to describe the “likely consequences” of the data breach in its notification to the SA. It is important to note that such consequences do not need to have materialised at that point. Thus, controllers should consider the potential adverse effects listed in Recital 85 GDPR, which enumerates various examples of “physical, material or non-material damage to natural persons” caused by a personal data breach.^[49] This requirement is likely to be a challenge for companies in practice, as these consequences are usually difficult to assess and usually depend on a number of factors.^[50]

(d) Measures taken or proposed

Finally, Article 33(3)(d) GDPR stipulates that the controller must outline any measures it has taken or plans to take to remedy the personal data breach. The controller must also describe the measures taken or planned to mitigate possible adverse effects. The controller is not required to wait for feedback from the SA regarding the implementation of the "planned" measures.^[51]

Additional details

As mentioned, the controller can provide further information than that required pursuant to Article 33(3)(a) to (d) GDPR. It is important to note that Recital 88 GDPR indicates that the “rules concerning format and procedures applicable to the notification of personal data breaches” depend on the particular circumstances of each breach.^[52] Any additional information that should be provided will therefore differ according to each breach. For example, the controller can name the processor responsible for the personal data breach. This may help other controllers, which rely on services provided by the same processor, to take necessary measures against additional personal data breaches. Nevertheless, the SA might request on its on further details on the personal data breach in the course of an investigation.^[53]

It should be noted that, in general, the notification will not have to include details on a level that would entail the disclosure of trade secrets or the breached data itself. However, it cannot be excluded that that might be the case.^[54]

(4) Notification in phases

There are also circumstances where the controller can only notify the competent authority in phases. This option, outlined in Article 33(4) GDPR, is only permissible “in so far as, it is not possible to provide the information at the same time”. This indicates that the GDPR acknowledges that controllers may not always possess all the required information about a breach during the first investigation and within 72 hours of becoming aware of it, as complete and comprehensive details of the incident may not be immediately accessible during this initial time frame. This scenario is more likely to occur in the case of complex breaches, such as certain types of cybersecurity incidents, where conducting an in-depth forensic investigation may be necessary to accurately determine the nature of the breach and the extent of personal data compromise. As a result, in many instances, the controller will need to conduct further investigations and provide additional information at a later stage. Consequently, it permits a phased approach to notification.^[55]

"The EDPB recommends that when the controller first notifies the supervisory authority, the controller should also inform the supervisory authority if the controller does not yet have all the required information and will provide more details later on. The supervisory authority should agree how and when additional information should be provided. This does not prevent the controller from providing further information at any other stage, if it becomes aware of additional relevant details about the breach that need to be provided to the supervisory authority"

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 57.

Again, this should occur “without undue further delay” and does not release the controller from the obligation to notify the SA, where feasible, in 72 hours, even if this information cannot contain all the necessary information.^[56] The controller should also indicate that there will be a follow-up and provide reasons as to why it had notified the SA in phases. In any case, the possibility of notifying the SA in phases should not become common practice for controllers.^[57]

"It should also be clear that after making an initial notification, a controller could update the supervisory authority if a follow-up investigation uncovers evidence that the security incident was contained and no breach actually occurred. This information could then be added to the information already given to the supervisory authority and the incident recorded accordingly as not being a breach. There is no penalty for reporting an incident that ultimately transpires not to be a breach."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 60.

The need to provide the information to the SA in phases should be considered objectively. The providing of information in phases should be considered unreasonable if it hinders the implementation of mitigating measures in due time.^[58]

(5) Obligation to document the breach

Article 33(5) GDPR requires controllers to always document personal data breaches they are aware of. This obligation should, inter alia, enable the SA to verify the controller's compliance with the notification obligation provided by Article 33 GDPR. The documentation must include:

the facts of the breach;
the effects it has;
and the remedial action taken by the controller.

It is important to note that this applies to “all” breaches, regardless of the potential risk to the rights and freedoms of natural persons; therefore also regardless of whether the SA was notified or not.^[59] This obligation is linked to the accountability principle under Article 5(2) GDPR.^[60] Whilst this documentation exists to help the SA in its duties, it can also benefit the controller itself. Indeed, it may rely on it to justify its decision not to notify the SA of a breach where it considers that there is no likely risk. Moreover, as the principle of accountability requires the controller not only to comply with, but also to be able to demonstrate compliance with the GDPR, keeping records about data breaches means that it will be easier for the controller to prove that they complied with the relevant security obligations, even if these were not sufficient to avoid the breach.

For example: In order to assess whether a controller has implemented technical and organisational measures to detect personal data breaches, the SA could ask for the record of personal data breaches. If the controller is a big company with numerous data processing activities, it is unlikely that there are no entries. If that is still the case, the controller probably has implemented insufficient measures to detect personal data breaches or failed to document them accordingly. In any case, the SA might consider it necessary to investigate further.

"In addition to these details, the EDPB recommends that the controller also document its reasoning for the decisions taken in response to a breach. In particular, if a breach is not notified, a justification for that decision should be documented. This should include reasons why the controller considers the breach is unlikely to result in a risk to the rights and freedoms of individuals."

EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 125.

As is the case for other documentation obligations, the GDPR does not provide a retention period for this documentation. The controller should determine an appropriate period of retention considering the fact that such documentation will normally not contain any personal data itself.^[61]

Not covered by this documentation obligation are security incidents that were assessed but did not constitute personal data breaches. However, controllers could also decide to document such instances.^[62]

Decisions

→ You can find all related decisions in Category:Article 33 GDPR

References

↑ There was no equivalent to Article 33 GDPR under the Data Protection Directive 95/46/EC. Indeed, Article 17 of the Directive only required controllers to take adequate measures to protect personal data from breaches. However, Member States such as Germany (Section 42(a) German Federal Data Protection Act 2017) as well as Spain (Article 88 Spanish Data Protection Law 2007 provided for a similar obligation under their national law. See, Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 642-643 (Oxford University Press 2020). According to Bensoussan, the drafting of Article 33 GDPR drew inspiration from Article 4 ePrivacy Directive 2002/58/EC. The latter imposes a notification obligation on providers of electronic communication services. However, unlike Article 33 GDPR, the ePrivacy Directive imposes a broader obligation on electronic communication services as they must notify authorities of all breaches rather than only those which pose a risk to natural persons. See, Bensoussan, Reglement europeen sur la protection des donnees, p. 250 (Bruylant 2017).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 1 (C.H. Beck 2024, 4th Edition).
↑ Hladjk, in Ehmann, Selmayr, DSGVO, Article 33 GDPR, margin number 10 (C.H. Beck 2024, 3^rd Edition); EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 7 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 5 (available here).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 10 et seq. (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition); Hladjk, in Ehmann, Selmayr, DSGVO, Article 33 GDPR, margin number 14 (C.H. Beck 2024, 3^rd Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 8 (NOMOS 2025, 2nd Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 8 (NOMOS 2025, 2nd Edition).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 7 (NOMOS 2025, 2nd Edition); EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 31 (available here).
↑ Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 7 (NOMOS 2025, 2nd Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 32 et seq. (available here); according to a minority opinion the controller can be considered to be aware of a data breach as soon as it should have been aware in case it had implemented appropriate technical and organisational measures - see Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 5 (NOMOS 2025, 2nd Edition)
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 34 (available here).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), martin number 35 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 44 (available here); also supported by Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 15 (C.H. Beck 2024, 4th Edition); opposing view: Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 7 (NOMOS 2025, 2nd Edition).
↑ As per Recital 87 GDPR, the supervisory authority may then intervene “in accordance with its tasks and powers” under Articles 55 to 59 GDPR.
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 69 (available here); see also Hladjk, in Ehmann, Selmayr, DSGVO, Article 33 GDPR, margin number 11 et seqq. (C.H. Beck 2024, 3^rd Edition).
↑ Similarly, "where a processor is subject to Article 3(2) GDPR, it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33(2) GDPR." See, EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 74 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 17 (C.H. Beck 2024, 4th Edition).
↑ See Recital 85.
↑ However, the concept is used in other provisions of the GDPR like Articles 27(2)(a) and 30(5) GDPR. See also these provisions for more information.
↑ See Recital 75 for more examples.
↑ It is noteworthy that Article 33(1) GDPR stipulates that the controller must assess the risk to “natural persons” rather than just “data subjects”. This suggests that the meaning of “risk” must be interpreted broadly and as affecting natural persons generally rather than just specific data subjects.
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 106 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 107 et seqq. (available here).
↑ Hladjk, in Ehmann, Selmayr, DSGVO, Article 33 GDPR, margin number 8 (C.H. Beck 2024, 3^rd Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 111 et seq. (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 113 et seqq. (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 116 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 117 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 118 (available here).
↑ See EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 119 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 79 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 16 (C.H. Beck 2024, 4th Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 18 (C.H. Beck 2024, 4th Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 19 (C.H. Beck 2024, 4th Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 43 et seq. (available here).
↑ See Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 19 et seq. (NOMOS 2025, 2nd Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 18 (C.H. Beck 2024, 4th Edition).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 45 et seqq. (available here).
↑ It is relevant to note that the responsibility for the notification to the SA under Article 33(1) GDPR stays with controller who, in turn, will only become “aware” of the breach as soon as the processor notifies it. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 647 (Oxford University Press 2020).
↑ Compare Dix in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin number 19 (C.H. Beck 2025, 2nd Edition).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 17 (available here).
↑ EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 50 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 50 (available here).
↑ See EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 51 et seq. (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).
↑ See Recital 85, i.e. "loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage".
↑ Hladjk, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 33 GDPR, margin number 17 (C.H. Beck 2024, 3rd Edition).
↑ König, Schaupp, in Knyrim, Der Datkomm, Article 79 GDPR, margin number 58/1 (rdb.at 2022) with further references.
↑ See Recital 88 “In setting detailed rules concerning format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. […].”
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 54 et seq. (available here).
↑ Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 21 (C.H. Beck 2024, 4th Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 57 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 22 (C.H. Beck 2024, 4th Edition).
↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 16 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 23 (C.H. Beck 2024, 4th Edition).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 122 (available here).
↑ Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 24 (C.H. Beck 2024, 4th Edition); EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 122 (available here).
↑ EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 124 (available here).
↑ Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 26 (C.H. Beck 2024, 4th Edition).

[1] There was no equivalent to Article 33 GDPR under the Data Protection Directive 95/46/EC. Indeed, Article 17 of the Directive only required controllers to take adequate measures to protect personal data from breaches. However, Member States such as Germany (Section 42(a) German Federal Data Protection Act 2017) as well as Spain (Article 88 Spanish Data Protection Law 2007 provided for a similar obligation under their national law. See, Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 642-643 (Oxford University Press 2020). According to Bensoussan, the drafting of Article 33 GDPR drew inspiration from Article 4 ePrivacy Directive 2002/58/EC. The latter imposes a notification obligation on providers of electronic communication services. However, unlike Article 33 GDPR, the ePrivacy Directive imposes a broader obligation on electronic communication services as they must notify authorities of all breaches rather than only those which pose a risk to natural persons. See, Bensoussan, Reglement europeen sur la protection des donnees, p. 250 (Bruylant 2017).

[2] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 1 (C.H. Beck 2024, 4th Edition).

[3] Hladjk, in Ehmann, Selmayr, DSGVO, Article 33 GDPR, margin number 10 (C.H. Beck 2024, 3^rd Edition); EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 7 (available here).

[4] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).

[5] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 5 (available here).

[6] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 10 et seq. (available here).

[7] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 6 (C.H. Beck 2024, 4th Edition); Hladjk, in Ehmann, Selmayr, DSGVO, Article 33 GDPR, margin number 14 (C.H. Beck 2024, 3^rd Edition).

[8] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 8 (NOMOS 2025, 2nd Edition).

[9] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 8 (NOMOS 2025, 2nd Edition).

[10] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 7 (NOMOS 2025, 2nd Edition); EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 31 (available here).

[11] Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 7 (NOMOS 2025, 2nd Edition).

[12] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 32 et seq. (available here); according to a minority opinion the controller can be considered to be aware of a data breach as soon as it should have been aware in case it had implemented appropriate technical and organisational measures - see Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 5 (NOMOS 2025, 2nd Edition)

[13] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 34 (available here).

[14] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), martin number 35 (available here).

[15] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 44 (available here); also supported by Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 15 (C.H. Beck 2024, 4th Edition); opposing view: Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 7 (NOMOS 2025, 2nd Edition).

[16] As per Recital 87 GDPR, the supervisory authority may then intervene “in accordance with its tasks and powers” under Articles 55 to 59 GDPR.

[17] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 69 (available here); see also Hladjk, in Ehmann, Selmayr, DSGVO, Article 33 GDPR, margin number 11 et seqq. (C.H. Beck 2024, 3^rd Edition).

[18] Similarly, "where a processor is subject to Article 3(2) GDPR, it will be bound by the obligations on processors, of particular relevance here, the duty to notify a breach to the controller under Article 33(2) GDPR." See, EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 74 (available here).

[19] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 17 (C.H. Beck 2024, 4th Edition).

[20] See Recital 85.

[21] However, the concept is used in other provisions of the GDPR like Articles 27(2)(a) and 30(5) GDPR. See also these provisions for more information.

[22] See Recital 75 for more examples.

[23] It is noteworthy that Article 33(1) GDPR stipulates that the controller must assess the risk to “natural persons” rather than just “data subjects”. This suggests that the meaning of “risk” must be interpreted broadly and as affecting natural persons generally rather than just specific data subjects.

[24] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 106 (available here).

[25] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 107 et seqq. (available here).

[26] Hladjk, in Ehmann, Selmayr, DSGVO, Article 33 GDPR, margin number 8 (C.H. Beck 2024, 3^rd Edition).

[27] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 111 et seq. (available here).

[28] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 113 et seqq. (available here).

[29] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 116 (available here).

[30] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 117 (available here).

[31] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 118 (available here).

[32] See EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 119 (available here).

[33] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 79 (available here).

[34] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 16 (C.H. Beck 2024, 4th Edition).

[35] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 18 (C.H. Beck 2024, 4th Edition).

[36] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 19 (C.H. Beck 2024, 4th Edition).

[37] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 43 et seq. (available here).

[38] See Dix, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin numbers 19 et seq. (NOMOS 2025, 2nd Edition).

[39] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 18 (C.H. Beck 2024, 4th Edition).

[40] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 45 et seqq. (available here).

[41] It is relevant to note that the responsibility for the notification to the SA under Article 33(1) GDPR stays with controller who, in turn, will only become “aware” of the breach as soon as the processor notifies it. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 33 GDPR, p. 647 (Oxford University Press 2020).

[42] Compare Dix in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 33 GDPR, margin number 19 (C.H. Beck 2025, 2nd Edition).

[43] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).

[44] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 17 (available here).

[45] EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 50 (available here).

[46] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 50 (available here).

[47] See EDPB, 'Guidelines 9/2022 on personal data breach notification under GDPR', 28 March 2023 (Version 2.0), margin number 51 et seq. (available here).

[48] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 20 (C.H. Beck 2024, 4th Edition).

[49] See Recital 85, i.e. "loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage".

[50] Hladjk, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 33 GDPR, margin number 17 (C.H. Beck 2024, 3rd Edition).

[51] König, Schaupp, in Knyrim, Der Datkomm, Article 79 GDPR, margin number 58/1 (rdb.at 2022) with further references.

[52] See Recital 88 “In setting detailed rules concerning format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. […].”

[53] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 54 et seq. (available here).

[54] Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 21 (C.H. Beck 2024, 4th Edition).

[55] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 57 (available here).

[56] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 22 (C.H. Beck 2024, 4th Edition).

[57] WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 16 (available here).

[58] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 23 (C.H. Beck 2024, 4th Edition).

[59] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 122 (available here).

[60] Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 24 (C.H. Beck 2024, 4th Edition); EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 122 (available here).

[61] EDPB, ‘Guidelines 9/2022 on personal data breach notification under GDPR’, 28 March 2023 (Version 2.0), margin number 124 (available here).

[62] Compare Jandt, in Kühling, Buchner, DS-GVO BDSG, Article 33 GDPR, margin number 26 (C.H. Beck 2024, 4th Edition).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

[57]

[58]

[59]

[60]

[61]

[62]