Article 33 GDPR: Difference between revisions

← Article 33 - Notification of a personal data breach to the supervisory authority →
Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3. The notification referred to in paragraph 1 shall at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c) describe the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Relevant Recitals

Commentary

Article 33 GDPR imposes an obligation on controllers to notify the competent supervisory authority of a personal data breach without undue delay where is likely to result in a risk to the rights and freedoms of natural persons. It lays out a non-exhaustive list of information that must be provided to the supervisory authority and outlines obligations imposed on processors in such a scenario.

There was no equivalent to Article 33 GDPR under the Data Protection Directive 95/46/EC. Indeed, Article 17 of the Directive only required controllers to take adequate measures to protect personal data from breaches.^[1] However, Member States such as Germany^[2] as well as Spain^[3] provided for a similar obligation under their national law.^[4]

According to Bensoussan, the drafting of Article 33 GDPR drew inspiration from Article 4 ePrivacy Directive 2002/58/EC. The latter imposes a notification obligation on providers of electronic communication services. However, unlike Article 33 GDPR, the ePrivacy Directive imposes a broader obligation on electronic communication services as they must notify authorities of all breaches rather than only those which pose a risk to natural persons. Article 33 GDPR imposes an obligation on controllers to notify the competent supervisory authority of a personal data breach without undue delay where is likely to result in a risk to the rights and freedoms of natural persons. It lays out a non-exhaustive list of information that must be provided to the supervisory authority and outlines obligations imposed on processors in such a

scenario. ^[5]

EDPB Guidelines: on this Article, please see Guidelines 9/2022 on personal data breach notification under GDPR and also Guidelines 01/2021 on examples of personal data breach notifications and also Personal data breach notifications - WP29

(1) Data Controller Action in the Event of a Personal Data Breach

First, it is important to define the notion of “personal data breach” before assessing when a controller’s duty to notify the competent supervisory authority of such a breach arises.

WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 6 February 2018, p. 7 (available here).

“Personal Data Breach”

According to Article 4(12) GDPR, a personal data breach refers to “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The Article 29 Working Party Guidelines on Personal data breach notification under Regulation 2016/679 provide further guidance on the matter. They clarify that personal data breaches are types of “security incidents”. This indicates that whilst all personal data breaches are security incidents, not all security incidents are personal data breaches.^[6]

Article 4(12) GDPR outlines that there is a personal data breach where there is: (1) a “breach of security”; (2) leading to the “accidental”, “unlawful” or “unauthorised”; (3) “destruction”, “loss”, “alteration”, “disclosure of”, or “access to”; and (4) “personal data transmitted, stored or otherwise processed”. This division in four parts rather than three,^[7] emphasises that the breach can be accidental, unlawful or unauthorised and that it relates to previously processed personal data.

The WP29 outlines three distinct categories of personal data breaches. These include a “confidentiality breach”, where personal data is disclosed accidentally or without authorisation; an “integrity breach”, where personal data is altered accidentally or without authorisation; or an “availability breach”, where access to personal data or the personal data itself is destroyed accidentally or without authorisation. It is possible for a breach to be a combination of all three types.^[8]

Article 33(1) GDPR outlines that controllers have an obligation to notify the competent supervisory authority of personal data breach once they have become aware of it.

Awareness of a Data Breach

Article 33(1) GDPR establishes an obligation to notify the relevant supervisory authority once the controller becomes “aware” of a personal data breach. According to the WP29 Notification Guidelines, awareness entails having “reasonable degree of certainty that a security incident has occurred which has led to personal data being compromised”. This definition suggests a high threshold to prove awareness, as it must be established that the controller has “reasonable certainty”. Accordingly, there is a distinction between awareness as defined by WP29 and being informed of a potential breach.^[9] Whilst being informed of a potential breach does not amount to “awareness”, it does trigger an obligation on the controller to investigate further to determine (i.e., to gain "awareness") whether a breach of personal data has occurred.^[10]

Condition of “Risk”

The obligation to notify the competent supervisory authority of a personal data breach is only triggered where the breach is likely to “result in a risk to the rights and freedoms of natural persons”. The controller must therefore ascertain whether a “risk” is likely to result from a personal data breach upon becoming aware of it.

The GDPR does not define what constitutes a “risk to the rights and freedoms of natural persons”. Recital 75 GDPR only outlines potential situations where such a risk is likely to materialise, such as in cases of identity theft, data subjects’ loss of control over their personal data or where they are unable to exercise related rights amongst other situations.^[11] Some of these are reiterated in Recital 85 GDPR, which relates more directly to Article 33 GDPR. Although Recital 85 GDPR labels these as “physical, material or non-material damage to natural persons” rather than “risk”, Recital 75 GDPR does equate likelihood of “physical, material or non-material damage” to a “risk”.

It is noteworthy that Article 33(1) GDPR stipulates that the controller must assess the risk to “natural persons” rather than just “data subjects”. This suggests that the meaning of “risk” must be interpreted broadly and as affecting natural persons generally rather than just specific data subjects.

Likelihood and Severity of Risk

The WP29 Notification Guidelines attempt to go beyond the GDPR to provide further guidance on how to assess the risk. The Guidelines highlight that controllers must objectively consider the likelihood and severity (as also mentioned in Recital 75 GDPR) of the impact of the breach on rights and freedoms. They also outline that the controller should consider: (i) the category in which the breach falls); (ii) the quantity and sensitivity of personal data; (iii) how easily individuals can be identified; (iv) how serious the consequences of the breach are to individuals; (v) whether individuals affected are particularly vulnerable; (vi) whether the controller has a particular role that may entail a higher risk (e.g. a health-related controller); and (vii) the size of the breach in terms of numbers of individuals affected. It is important to emphasise that only the likelihood of a risk is required to trigger the notification obligation. Thus, controllers do not need to be certain that a breach has occurred before taking further steps to comply with Article 33 GDPR.^[12]

Notifying the Competent Supervisory Authority without Undue Delay

Once the controller has become aware of a personal data breach likely to “result in a risk to the rights and freedoms of natural persons”, Article 33(1) GDPR stipulates that it must notify the “supervisory authority competent in accordance with Article 55”, which in turn provides further clarity as to which authority must be notified. As per Recital 87 GDPR, the supervisory authority may then intervene “in accordance with its tasks and powers” under Articles 55 to 59 GDPR.

Notifying without undue delay: general “72 hours” rule

Notifying the relevant supervisory authority must occur “without undue delay” from the moment controllers become “aware” of a personal data breach with the relevant level of risk. According to Recital 87 GDPR, the assessment of whether the controller acted without undue delay “should [take] into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects”. Although this suggests that the qualifier “without undue delay” is circumstance-specific, Article 33(1) GDPR provides a general rule to satisfy this obligation: “where feasible”, the controller must notify the relevant authority within a maximum of 72 hours. It is crucial that controllers comply with this deadline, as its core purpose is to limit the damage to natural persons affected by the data breach.^[13]

Notifying without Undue Delay: After 72 hours

Article 33(1) GDPR only requires controllers to notify the competent supervisory authority within 72 hours “where feasible”. This suggests that, in some instances, they can take longer than 72 hours to do so. Additionally, the final sentence of Article 33(1) GDPR stipulates that if a controller fails to notify the supervisory authority within 72 hours, it shall provide “reasons”. This further indicates that, in some cases, taking longer than 72 hours to notify the relevant supervisory authority is permissible under the GDPR.^[14] Recital 88 provides an example of such a scenario. Where a rapid notification would “hamper” an investigation conducted by law enforcement authorities, the controller has a valid reason for not complying with the general deadline in Article 33(1) GDPR.^[15] It would presumably not be in breach of Article 33 GDPR in that case. Regardless of whether the delayed notification is justified or not, the controller must provide an explanation outlining why notifying the relevant authorities within 72 hours was not feasible (Article 33(1) GDPR).

Implications of Satisfying the Time Conditions

It is relevant to note that the speed at which a controller notified the supervisory authority of a breach was a factor considered by the French DPA (CNIL) when assessing the level of a fine it sought to impose on a controller for the data breach.^[16] As a result of this decision, it is arguable that a timely response may be used to mitigate a fine. Conversely, a controller is deemed to have violated its obligations under Article 33 GDPR where it does not notify the competent supervisory authority “without undue delay”.^[17] This would amount to a punishable breach of the Article and may justify imposing a greater fine on the controller.

(2) Data Processors Action in the Event of a Personal Data Breach

Article 33(2) GDPR outlines that data processors have an obligation to notify the data controller of a personal data breach once it has become aware of it.

Awareness

Article 33(2) GDPR instructs processors to notify controllers once they become “aware” of a personal data breach. The GDPR does not elaborate much on this provision, but the definition of “aware” likely reflects its meaning under Article 33(1) GDPR.

Notifying the Data Controller without Undue Delay

According to Article 33(2) GDPR, the processor has the obligation to notify the controller, rather than the competent supervisory authority, of a data breach it is made aware of. It is relevant to note that the controller will become “aware” of the breach as soon as the processor notifies it of a breach.^[18] This duty to notify the controller falls in line with other obligations imposed by the GDPR on processors. Article 33(2) GDPR provides further guidance into the relationship between a controller and processor.   Article 28(3) GDPR is helpful to understand the duty to notify pursuant to Article 33(2) GDPR. Services provided to a controller by a processor must be “governed by a contract or other legal act […]” according to Article 28(3) GDPR. In addition, Article 28(3)(f) GDPR specifically requires that this contract or legal act stipulate that the processor “shall” support the controller in ensuring compliance with obligations found under Article 32 to 36 GDPR. Thus, a contract between the controller and processor will specify how the obligation found within Article 33(2) GDPR must be complied with. It possible for the controller to stipulate within its contract with the processor that the latter must notify the supervisory authority directly in the event of a breach. However, the WP29 Notification Guidelines state that the legal responsibility to notify the relevant DPA will remain with the controller regardless of such a contract.^[19] 

Risk of the Breach

Article 33(2) GDPR does not require the processor to assess the likelihood of the risk to the rights and freedoms of natural persons. Instead, it appears that the processor must report any personal data breach to the controller. The latter will then assess the risk and notify the supervisory authority should the required threshold be met.^[20] Again, the controller can impose a contractual obligation on the processor to assess the risk level pursuant to Article 28(3) GDPR. The legal responsibility will nonetheless ultimately remain with the controller.

Timing Condition

Article 33(2) GDPR does not set a deadline other than “without undue delay”, but the WP29 recommends that the processor must do so “promptly”. The contract between the controller and the processor pursuant to Article 28(3) GDPR may stipulate a specific time frame in which the processor must notify the controller.^[21]

(3) Details of the Notification.

Article 33(3) GDPR provides a list of details that the controller must include in a notification to a supervisory authority. It is important to note that the phrase “shall at least” is used. Therefore, although the notification must include the elements enumerated from Article 33(3)(a) to (d) GDPR, the controller may provide further information to the competent supervisory authority.

Nature of the Breach

According to Article 33(3)(a) GDPR, the controller must “describe the nature of the personal data breach” to the supervisory authority. This must include the categories and approximate number of data subjects concerned as well as the categories and approximate number of personal data records concerned. The GDPR does not provide additional information as to what these “categories” mean in this context. However, the WP29 suggests that this may be an attempt to identify various types of individuals at risk of damage caused by the data breach,^[22] as well as different types of records processed by the controller.^[23] The WP29 Notification Guidelines further clarify that controllers should not rely on the absence of specific numbers of data subject or personal data records concerned as a reason to evade its obligation to notify the competent supervisory authority. Instead, the controller can provide approximate numbers.^[24]

Point of Contact

Article 33(3)(b) GDPR requires the notification to the supervisory authority to include the details of a point of contact, allowing the supervisory authority to request further information should where needed carry out an investigation. The provision specifies that the name and contact details of the controller’s data protection officer are required. Alternatively, the controller may provide details of a “point of contact” capable of sharing further information should the supervisory authority require it.

Consequence of the Breach

Article 33(3)(c) GDPR requires the controller to describe the “likely consequences” of the data breach in its notification to the supervisory authority. It is important to note that such consequences do not need to have materialised at that point. Although Recital 87 GDPR seems to distinguish the “consequences” of a breach from its “adverse effects”, it is argued that the latter can be viewed as a subcategory of the former. Thus, controllers should consider the potential adverse effects listed in Recital 85 GDPR, which enumerates various examples of “physical, material or non-material damage to natural persons” caused by a personal data breach.^[25]

Measures Taken or Proposed

Finally, Article 33(3)(d) GDPR stipulates that the controller must outline any measures it has taken or plans to take to respond to the personal data breach. The controller must also describe the measures taken or planned to mitigate possible adverse effects.

Additional Details

As mentioned, the controller can provide further information than that required pursuant to Article 33(3)(a) to (d) GDPR. It is important to note that Recital 88 GDPR indicates that the “rules concerning format and procedures applicable to the notification of personal data breaches” depend on the particular circumstances of each breach.^[26] Any additional information that should be provided will therefore differ according to each breach. An example of such information was provided by the WP29, which suggested that the controller can name the processor responsible for the personal data breach. This may help other controllers, which rely on services provided by the same processor, to take necessary measures against additional personal data breaches.

(4) Notifying without Undue Delay: Notification in Phases

There are also circumstances where the controller can only notify the competent authority in phases. This option, outlined in Article 33(4) GDPR, is only permissible “in so far as, it is not possible to provide the information at the same time”. Again, this should occur “without undue further delay”. The WP29 additionally recommended that the controller should also provide reasons as to why it had notified the supervisory authority in phases. In any case, the possibility of notifying the supervisory authority in phases should not become common practice for controllers.^[27]

(5) Obligation to Document the Breach

Article 33(5) GDPR requires controllers to always document personal data breaches they are made aware of. The documentation must include: the facts of the breach; the effects it has; and the remedial action taken by the controller. It is important to note that this applies to “all” breaches, regardless of the potential risk to the rights and freedoms of natural persons. This obligation is linked to the accountability principle under Article 5(2) GDPR.^[28] Whilst this documentation exists to help the supervisory authority in its duties, it can also benefit the controller itself. Indeed, it may rely on it to justify its decision not to notify the supervisory authority of a breach where it considers that there is no likely risk.

Decisions

→ You can find all related decisions in Category:Article 33 GDPR

References