Article 33 GDPR

From GDPRhub
Article 33 - Notification of a personal data breach to the supervisory authority
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text[edit | edit source]


Article 33 - Notification of a personal data breach to the supervisory authority


1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3. The notification referred to in paragraph 1 shall at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5. The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Relevant Recitals[edit | edit source]

You can help us fill this section!

Commentary[edit | edit source]

Overview[edit | edit source]

Article 33 GDPR imposes an obligation on data controllers to notify the competent supervisory authority without undue delay where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons. The Article provides a non-exhaustive list of information that must be provided to the supervisory authority. It also outlines obligations imposed on data processors in such a scenario.

There was no equivalent to Article 33 under the Data Protection Directive 95/46/EC. Instead, Article 17 of the Directive only required the data controller to take adequate measures to protect personal data from breaches.[1] Certain Member States, however, did provide for a similar obligation in their national law. This was the case for Germany[2] as well as Spain[3], for example.[4]

According to Bensoussan, the drafting of Article 33 drew inspiration from Article 4 ePrivacy Directive 2002/58/EC. The latter imposes a notification obligation on providers of electronic communication services. However, unlike Article 33 GDPR, the ePrivacy Directive imposes a broader obligation on electronic communication services as they must notify authorities of all breaches rather than only those which pose a risk to natural persons.[5]

Commentary[edit | edit source]

“Personal data breach”.[edit | edit source]

From the outset, it is important to define “personal data breach” before establishing the point at which a data controller has a duty to notify the competent supervisory authority of such a breach.

Definition.[edit | edit source]

According to Article 4(12) GDPR, a personal data breach refers to “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The Article 29 Working Party Guidelines on Personal data breach notification under Regulation 2016/679 (hereafter “WP29 Notification Guidelines”) provide further guidance on the matter. It clarifies that personal data breaches are types of “security incidents”. This entails that whilst all personal data breaches are security incidents, not all security incidents are personal data breaches.[6]

Whilst Tosoni divides this Article 4(12) GDPR into three key requirements[7], it may be more practical to divide it up differently. Accordingly, it is argued that Article 4(12) GDPR outlines that there is a personal data breach where there is:

-         (1) a “breach of security”;

-         (2) leading to the “accidental”, “unlawful” or “unauthorised”;

-         (3) “destruction”, “loss”, “alteration”, “disclosure of”, or “access to”; and

-         (4) “personal data transmitted, stored or otherwise processed”.

This division in four parts rather than three is to emphasise that the breach can be accidental as well unlawful or unauthorised and that it relates to already processed personal data.

Categories of breaches.[edit | edit source]

The WP29 outlines three distinct categories of personal data breaches. These include:

- “confidentiality breach” – a breach where personal data is disclosed accidentally or without authorisation.

- “integrity breach” – a breach where personal data is altered accidentally or without authorisation.

- “availability breach” – a breach where access to personal data or the personal data is destroyed accidentally or without authorisation.

It is possible for a breach to be a combination of all three types.[8]

Data controller action in the event of a personal data breach.[edit | edit source]

Article 33(1) outlines that data controller have an obligation to notify the competent supervisory authority of personal data breach once it has become aware of it.

Awareness of a data breach.[edit | edit source]

Article 33(1) establishes that there is obligation to notify the relevant supervisory authority only once the data controller becomes “aware” of a personal data breach. There is thus an awareness criteria to be fulfilled.

According to the WP29 Notification Guidelines, awareness entails having “reasonable certainty that a security incident has occurred which has led to personal data being compromised[9]. This definition indicates a high threshold to prove awareness as it must be established that the data controller has “reasonable certainty”. Accordingly, there is a distinction between awareness as defined by WP29 and being informed of a potential breach.[10] Whilst being informed of a potential breach does not amount to “awareness”, it would trigger an obligation on the data controller to investigate further so as to determine[11] whether a breach of personal data has occurred.[12]

Condition of “risk”.[edit | edit source]

The obligation to notify the competent supervisory authority of a personal data breach is only triggered where the breach is likely to “result in a risk to the rights and freedoms of natural persons”. Therefore, the controller must ascertain whether a “risk” is likely to result from a personal data breach upon becoming aware of it.

Definition of risk.[edit | edit source]

The GDPR does not provide a clear definition of what a “risk to the rights and freedoms of natural persons” entails. Recital 75 only outlines potential situations where such risk is likely to result. For example, there will be a risk to the rights and freedoms in situations where there is an identity theft, a data subject’s loss of control over their personal data or their inability to exercise related rights amongst other situations.[13] Some of these are reiterated in Recital 85 which relates more directly to Article 33 GDPR. Although Recital 85 labels these as “physical, material or non-material damage to natural persons” rather than “risk”, Recital 75 does equate likelihood of “physical, material or non-material damage” to a “risk”.[14]

It is also relevant to note that Article 33(1) stipulates that the data controller must assess the risk to “natural persons” rather than just “data subjects”. This suggests that the meaning of “risk” must be interpreted broadly as affecting natural persons generally rather than just a risk posed to specific data subjects affected by the breach.

Likelihood and severity of risk.[edit | edit source]

The WP29 Notification Guidelines attempts to go beyond the GDPR to provide further guidance on how to assess the risk. The Guidelines highlight that data controllers must objectively consider the likelihood and severity (as also mentioned in Recital 75) of the impact of the breach on rights and freedoms.[15] They also outline that the data controller should consider:

- the category in which the breach falls (see 4.1.2.);

- the quantity of personal data breached and its sensitivity;

- how easily individuals can be identified;

- how serious the consequences of the breach are to individuals;

- whether individuals affected are particularly vulnerable;

- whether the data controller has a particular role that may entail a higher risk (e.g. a health-related controller); and

- the size of the breach in terms of numbers of individuals affected.[16]

It is important to emphasise that only the likelihood of a risk is required for to trigger the notification obligation. Therefore, the data controller does not need to have absolute certainty that a breach has occurred before it takes further steps to comply with Article 33.

Notifying the competent supervisory authority without undue delay.[edit | edit source]
Competent supervisory authority.  [edit | edit source]

Once the data controller has become aware of a personal data breach likely to “result in a risk to the rights and freedoms of natural persons”, Article 33(1) stipulates that the data controller must notify the “supervisory authority competent in accordance with Article 5”. Article 55 GDPR will provide further clarity as to which authority must be notified.

As per Recital 87, the supervisory authority may then intervene “in accordance with its tasks and powers” as a result of the Articles 55 to 59 GDPR.

Notifying without undue delay: general “72 hours” rule.  

Notifying the relevant supervisory authority must occur “without undue delay” according to Article 33(1). The obligation to act in a timely manner begins as soon as the data controller is “aware” (see above) of a personal data breach with the relevant level of risk.

According to Recital 87, the assessment of whether the data controller acted without undue delay “should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects”. Although this Recital suggests that condition of “without undue delay” is circumstance-specific, Article 33(1) provides a general rule to satisfy this obligation: “where feasible”, the data controller must notify the relevant authority within a maximum of “72 hours”.

It is crucial that data controllers comply with this time condition as the reason for imposing time condition to the notification obligation is to limit the damage to natural personals affected by the personal data breach.[17]

Notifying without undue delay: after 72 hours. [edit | edit source]

As Article 33(1) only requires data controllers to notify the competent supervisory authority within 72 hours where feasible, it suggests that there may be cases where data controllers are permitted to take longer than 72 hours.

The final sentence of Article 33(1) provides that if the data controller fails to notify the supervisory authority within the stipulated 72 hours, it shall provide “reasons”. This further suggests that there are cases where taking longer than 72 hours to notify the relevant supervisory authority is still permissible under the GDPR[18].

Recital 88 provides an example of where notifying the supervisory authority after 72 hours is permissible. In circumstances where a rapid notification would “hamper” an investigation conducted by law enforcement authorities, the data controller has a valid reason for not complying with the generally applicable time condition in Article 33(1)[19]. It would presumably not be in breach of Article 33 in that case.

Regardless of whether the delayed notification is justified or not, the data controller must provide an explanation outlining why notifying the relevant authorities within 72 hours was not feasible (Article 33(1)).

Notifying without undue delay: notification in phases. [edit | edit source]

There are also circumstances where the data controller can only notify the competent authority in phases. This option, outlined in Article 33(4), is only permissible “in so far as, it is not possible to provide the information at the same time”. Again, there is the requirement that this should be “without undue further delay”. The WP29 further suggests that the data controller should also provide an explanation as to why it had notified the supervisory authority in phases.[20]

In any case, the possibility of notifying the supervisory authority in phases should not become common practice for data controllers.[21]

Implications of satisfying the time conditions.[edit | edit source]

It is relevant to note that the speed at which the data controller notifies the supervisory authority of the breach was a factor considered by the French DPA (CNIL) when assessing the level of the fine it sought to impose on a data controller for the data breach in the first place[22]. As a result of this decision, it is possible to argue that the timely response may be used to mitigate the fine imposed.

Conversely, the data controller is deemed to have failed in its obligations pursuant to Article 33 GDPR where it does not notify the competent supervisory authority “without undue delay”.[23] This would therefore amount to a punishable breach of the Article and may justify imposing a greater fine on the data controller.

Details of the notification.[edit | edit source]

Article 33(3) provides of a list of the details that must be included in a notification to a supervisory authority. It is important to note that the phrase “shall at least […]” is used. Therefore, although the notification must include the elements enumerated from Article 33(3)(a) to (d), the data controller may provide further information to the competent supervisory authority.

Details to include: nature of the breach.[edit | edit source]

According to Article 33(3)(a), the data controller must “describe the nature of the personal data breach” to the supervisory authority. This must include the categories and approximate number of data subjects concerned as well as the categories and approximate number of personal data records concerned.

The GDPR does not provide additional information as to what these “categories” mean in this context. However, the WP29 suggests that this may be an attempt to identify various types of individuals at risk of damage due to the data breach[24], as well as different types of records processed by the data controller. [25]

The WP29 Notification Guidelines further clarify that data controllers should not rely on the absence of specific numbers of data subject or personal data records concerned as a reason to evade its obligation to notify the competent supervisory authority. Instead, the controller can provide approximate numbers.[26] 

Details to include: point of contact.[edit | edit source]

Article 33(3)(b) provides that notification to the supervisory authority must include the details of a point of contact. This would allow the supervisory authority to request further information should they need to for the purpose of carrying out an investigation.  

The Article specifies that the name and contact details of the data controller’s data protection officer are required. Alternatively, the data controller may provide details of a “point of contact” other than the data protection officer if this point of contact is able to provide further information should the supervisory authority require it.

Details to include: consequence of the breach.[edit | edit source]

Article 33(3)(c) requires the data controller to describe “likely consequences” of the data breach in its notification to the supervisory authority. It is important to note that such consequences do not need to have materialised before being included in the notification to the authority.

Although Recital 87 seems to distinguish “consequences” from “adverse effects” of a breach, it is argued that adverse effects is a subcategory of the consequences. Therefore, it is possible to look at the potential adverse effects listed in Recital 85. The Recital enumerates various examples of “physical, material or non-material damage to natural persons” caused by a personal data breach[27].

Details to include: measures taken or proposed.[edit | edit source]

Finally, Article 33(3)(d) stipulates that the data controller must outline any measures it has taken or plans to take to respond to the personal data breach. The data controller must also describe the measures taken or planned to mitigate any adverse effects by the controller to address breach AND measures to mitigate possible adverse effect.

Additional details.[edit | edit source]

As mentioned, the data controller can provide further information than that required pursuant to Article 33(3)(a) to (d).

It is important to note that Recital 88 indicates that the “rules concerning format and procedures applicable to the notification of personal data breaches” depend on the particular circumstances of each breach.[28] Therefore, any additional information that should be provided will differ according to each breach.

The WP29 Notification Guidelines provides an example of additional information that can be provided: the data controller can name the data processor responsible for the personal data breach. This may help other data controllers, which rely on services provided by the same processor, to take necessary measures against additional personal data breaches.[29]

Obligation to document the breach.[edit | edit source]

Article 33(5) outlines that the data controller must always document personal data breaches it is made aware of. The documentation must include:

- the facts of the breach;

- the effects it has; and

- the remedial action taken by the controller.

It is important to note that this applies to “all” breaches, regardless of the potential risk to the rights and freedoms of natural persons. This obligation is linked to the accountability principle under Article 5(2) GDPR.[30] Whilst this documentation is to help the supervisory authority in its duties, it can also benefit the data controller. The data controller may rely on it to justify their decision not to notify the supervisory authority of a breach where it considers that there is no likely risk.

Data processors action in the event of a personal data breach[edit | edit source]

Article 33(2) outlines that data processors have an obligation to notify the data controller of a personal data breach once it has become aware of it.

Awareness.[edit | edit source]

Article 33(2) outlines that data processors have the obligation to notify the data controller once it is “aware” of a personal data breach.

The GDPR does not elaborate much on this provision. However, it is suggested that the definition of awareness stipulated in 4.2.1. similarly applies to Article 33(2).

Notifying the data controller without undue delay.[edit | edit source]

There is a specific notification obligation imposed on the data processor as a result of Article 33(2) once awareness has been established.

Notifying the data controller.[edit | edit source]

According to Article 33(2), the data processor has the obligation to notify the data controller, rather than the competent supervisory authority, of a personal data breach it is made aware of. It is relevant to note that the data controller will become “aware” of the breach as soon as the data processor notifies him of a breach.[31]

This duty to notify the data controller falls in line with other obligations imposed by the GDPR on data processors. Article 33(2) provides further guidance into the relationship between a data controller and a data processor.  

Article 28(3) GDPR is helpful to understand the duty to notify pursuant to Article 33(2). Services provided to a data controller by a data processor must be “governed by a contract or other legal act […]” according to Article 28(3). In addition, Article 28(3)(f) GDPR specifically requires that this contract or legal act stipulate that the data processor “shall” support the data controller in ensuring compliance with obligations found under Article 32 to 36 GDPR.

Therefore, a contract between the data controller and processor will specify how the obligation found within Article 33(2) must be complied with.[32] It possible for the data controller to stipulate within its contract with the data processor that the latter must notify the supervisory authority directly in the event of a breach. However, the WP29 Notification Guidelines provide the reminder that the legal responsibility to notify will remain with the controller regardless of such a contract.[33] 

Risk of the breach?[edit | edit source]

Article 33(2) does not require the data processor to assess the likelihood of the risk to the rights and freedoms of natural persons.

Instead, it appears that the data processor must report any personal data breach to the data controller. The latter will then assess the risk and notify the supervisory authority should the relevant risk level manifest itself.[34]

Again, the data controller can impose an obligation on the data controller to assess the risk level through their contractual arrangement pursuant to Article 28(3) GDPR. As above, the legal responsibility will nonetheless remain with the data controller.

Timing condition?[edit | edit source]

Article 33(2) does not specify any timing condition other than “without undue delay”. Whilst this does not have a time limit such as 72 hours, the WP29 suggests that the data processor must do so “promptly”.[35]

The contract between the data controller and the data processor, pursuant to Article 28(3) may stipulate the specific time frame in which the processor must notify the data controller.[36]


[1] Cedric Burton, “Article 33. Notification of a personal data breach to the supervisory authority” in Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and and Laura Dreachsler (eds), The EU General Data Protection Regulation (GDPR) – A Commentary (Oxford University Press 2020) 642.

[2] Section 42(a) German Federal Data Protection Act 2017.

[3] Spanish Data Protection Law 2007.

[4] Burton (n1) 643.

[5] Alain Bensoussan, Reglement europeen sur la protection des donnees (2nd edn, Bruylant 2017) 250.

[6] WP29, “Guidelines on Personal data breach notification under Regulation 2016/679”, adopted on 3 October 2017; as last revised and adopted on 6 February 2018, 18/EN, WP 250 rev.01, 7.

[7] (1) violation of security measures; (2) leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data; and (3) which qualify as “personal data”. See Luca Tosoni, “Article 4(12). Personal data breach” in Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and and Laura Dreachsler (eds), The EU General Data Protection Regulation (GDPR) – A Commentary (Oxford University Press 2020) 191.

[8] WP29 (n6) 7-8.

[9] Ibid 11.

[10] Ibid.

[11] i.e. gain “awareness”.

[12] WP29 (n6) 12.

[13] See Recital 75 above for more examples.

[14] In any case,

[15] WP29 (n6) 22.

[16] Ibid 24-26.

[17] See Recital 85.

[18] WP29 (n6) 16.

[19] See Recital 88, which stipulates that “[…] rules and procedures [concerning the format and procedures applicable to the notification of personal data breaches] should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach”.

[20] WP29 (n6) 15.

[21] Ibid 16.

[22] CNIL Delib. SAN-2017-010, 18-7-2017.

[23] WP29 (n6) 13.

[24] E.g. “children” would be a type of individuals compared to “employees” as another type.

[25] E.g. “health” would be a type of personal data records compared to “financial details” as another type. See WP29 (n6) 14.

[26] Ibid 14.

[27] “[…] loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage […]”

[28] See Recital 88 “In setting detailed rules concerning format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. […].”

[29] WP29 (n6) 15.

[30] Burton (n1) 649.

[31] Ibid 647.

[32] WP29 (n6) 13.

[33] Ibid 14.

[34] In compliance with its own data controller obligations pursuant to Article 33(1).

[35] WP29 (n6) 14.

[36] Ibid 14.

Decisions[edit | edit source]

→ You can find all related decisions in Category:Article 33 GDPR

References[edit | edit source]