Article 34 GDPR

← Article 34 - Communication of a personal data breach to the data subject →

Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

Article 34 - Communication of a personal data breach to the data subject

1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Relevant Recitals

Recital 87: Timing and Result of Notification

It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.

Recital 88: Notification Rules and Procedures

In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal data breach.

Commentary

Article 34, paragraph 1, GDPR imposes a new^[1] obligation on the controller to inform affected data subjects of a data breach which is likely to result in a high risk to the rights and freedoms of natural persons.^[2] Paragraph 2 describes the linguistic requirements the information should have ("clear and plain language"), its purpose (describing the nature of the breach) and minimum content (contact points, consequences, actions taken or otherwise planned). Paragraph 3 rules out the information obligation. For example, the controller has implemented appropriate technical and organisational measures to exclude any harm, Finally, paragraph 4, describes the powers of the supervisory authority which may force the controller to inform the data subjects or, alternatively, exempt it from such action if one of the requirements stated in paragraph 3 is met.

(1) Communication of a personal data breach to the data subject

Under Article 34(1) GDPR, the controller, without undue delay, communicates the personal data breach to data subjects when it is likely to result in a high risk to the rights and freedoms of natural persons.^[3] This provision carries both theoretical and practical importance. On one hand, it acknowledges the individual's subjective right to be informed about the security of their personal data. On the other hand, it enables data subjects to make strategic choices to safeguard their personal sphere. For example, they may choose to close their account with the data controller due to inadequate security measures or block their credit card if it has been compromised in the breach.

When the personal data breach

“Personal data breach” should be defined from the outset, before establishing the point at which a controller has a duty to notify the competent supervisory authority of such a breach.^[4]

Is likely to result in a high risk to the rights and freedoms of natural persons

Article 34(1) GDPR differs from Article 33 GDPR. Instead of having to notify the supervisor authority of a breach that leads to any kind of risk to data subjects, the controller only has the obligation to communicate a breach to them where it may lead to a “high risk to the rights and freedoms of natural persons”. The threshold for communicating the breach to data subjects concerned is therefore higher than in Article 33 GDPR. This choice has been argued to be reasonable, as this higher threshold was deemed necessary to avoid data subjects to suffer from a “fatigue” caused by the receipt of warnings for every breach of the GDPR.^[5] The controller has therefore to assess the level of risk which may ensue to data subjects as a result of a breach. According to the EDPB, whether a data breach creates a ‘high risk’ should be assessed in light of the specific circumstances in each case. As with Article 33 GDPR, this is an objective assessment conducted on the basis of the likelihood and severity of a negative impact on the rights and freedoms of natural persons. Examples of ‘high risk’ situations include, inter alia, a cyberattack on an online marketplace where usernames, passwords and purchase history are made public; a cyberattack on a hospital resulting in medical records being made inaccessible; or where personal data was mistakenly sent to a wrong mailing list (with over a thousand recipients).^[6] However, Bensoussan correctly suggests that the enforcement of Article 34 GDPR is likely to be difficult as the controller is the entity making the assessment of the level of the risk.^[7]

The controller

The reporting obligation outlined in paragraph 1 applies to the data controller, encompassing both natural persons and public or non-public entities as defined in Article 4(7). In cases where multiple controllers jointly determine the purposes and means of processing as defined in Article 26 of the GDPR, each controller is responsible for reporting their own data breaches as well as those of the other controller(s). However, it is possible for the controllers to establish a different arrangement regarding the reporting obligations through an agreement on joint responsibility as required under Article 26(1) of the GDPR.

Shall communicate the data breach to the data subject

The affected data subjects should be directly notified of the relevant breach. When communicating a breach to data subjects, dedicated messages should be utilized, separate from regular updates, newsletters, or standard messages. This approach ensures clear and transparent communication of the breach. Transparent communication methods include direct messaging via email, SMS, or direct message, prominently displayed website banners or notifications, postal communications, and prominent advertisements in print media. It should be noted that issuing a notification solely through a press release or corporate blog would not effectively communicate the breach to individuals. Controllers are in the best position to determine the most suitable contact channel for communicating a breach to individuals, especially if they have regular interactions with their customers. However, it is crucial for controllers to exercise caution when selecting a contact channel, as using a channel compromised by the breach could potentially enable attackers to impersonate the controller.^[8]

Without undue delay

Another requirement established by Article 34(1) GDPR is that controllers must notify data subjects of a data breach “without undue delay”. The WP29 Guidelines interpret this as “as soon as possible”^[9] or “as soon as reasonably feasible” (within the meaning Recital 86 GDPR). However, Article 34 GDPR does not provide a specific deadline of 72 hours as is the case in Article 33 GDPR. Instead, timelines will be assessed depending on the nature and gravity of the breach itself, as well as the level of risk to natural persons.^[10] This is apparent from Recital 86 GDPR, which provides an example of a scenario where the timeliness condition will be different: “the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.” Similarly, Recital 88 GDPR indicates that communication to data subjects may be delayed to preserve the integrity of an investigation led by a law-enforcement authority into the circumstances of the breach. In this context, it is noteworthy that as there is not specific deadline of 72 hours, the question of when this time limit formally begins does not arise.^[11]

(2) Minimal requirements of the controller's communication to the data subject

The communication to the data subject must contain a description of the (i) “nature” of the breach and the other elements outlined in Article 33(3)(b)-(d) GDPR. Hence, (ii) the name and contact details of the data protection officer or other contact point where more information can be obtained; (iii) the likely consequences of the personal data breach; and (iv) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. As indicated by the phrase “at least” found under Article 34(2) GDPR, this list of information to be provided to data subjects is non-exhaustive. Recital 86 GDPR outlines that the controller “should” provide “recommendations for the natural person concerned to mitigate potential adverse effects”. The information given to data subjects should therefore enable them to take any “necessary precautions”, which, although not directly mentioned by Article 33(3)(b)-(d) GDPR could be shared as additional information by the controller.

Clear and plain language

Under Article 34(2) GDPR, controllers must use “clear and plain language” when explaining the "nature" of the breach to data subjects. At first look, this requirement does not seem to apply to the other elements included in the communication (contact points, consequences, actions taken or otherwise planned). Such conclusion must be rejected. First, it would not make much sense to explain the "nature" of the breach in "clear and plain language" and then rely on obscure and cryptic wording for describing, say, the mitigating measures taken or planned. Second, Article 12(1) GDPR expressly requires "concise, transparent, intelligible and easily accessible form, [as well as] clear and plain language" for all communications to the data subject, including those foreseen in Article 34 GDPR.^[12] Hence, all the elements included in the communication must be expressed in clear and plain language, taking into account the other requirements set forth in Article 12 GDPR.

Minimal content of the communication

XXX ========== (i) Nature of the personal breach

The EDPB outlines three distinct categories of personal data breaches. These include a “confidentiality breach”, where there is an unauthorised or accidental disclosure of, or access to, personal data; an “integrity breach”, where there is an unauthorised or accidental alteration of personal data; or an “availability breach”, where there is an accidental or unauthorised loss of access to, or destruction of, personal data. This is, in essence, the "nature" of the personal data breach.

The information that must be given to data subjects following a high risk breach must enable them to take any steps to protect themselves. This position adopted by the WP29 is supported by the text in Recital 86 GDPR: “The controller should communicate to the data subject a personal data breach … in order to allow him or her to take the necessary precautions”. Thus, Article 34 GDPR attempts to empower data subjects even in the event of a personal data breach that affects them

(3) Exemptions from the Obligation to Communicate to the Data Subject

Article 34(3) GDPR lists certain exemptions from the controller’s obligation to communicate the breach to data subjects concerned. The three exhaustive circumstances in which the controller is not required to communicate a breach are where: (a) it has “appropriate technical and organisational protection measures” in place. Such measures must be triggered and make the data concerned by the breach unintelligible to non-authorised persons. For example, this includes measures taken to encrypt the data (Article 34(3)(a) GDPR);^[13] (b) it takes “subsequent measures” that diminish the likelihood that a high risk to the rights and freedoms of the person concerned materialises (Article 34(3)(b) GDPR). According to the WP29 Guidelines, “subsequent” measures should be interpreted as immediate measures; (c) this would demand a disproportionate effort from the controller. Article 34(3)(c) GDPR specifies that in such cases, a public communication to inform the data subjects is sufficient. The WP29 suggests that “technical arrangements” must nonetheless be taken to ensure that data subjects can access further information upon request.^[14] According to Burton, the burden of proof falls on the controller to demonstrate that any of the aforementioned exemptions apply.^[15]

Implications for a Data Processor

There are no specific obligations imposed on processors relating to the communication of the breach to data subjects. Under Article 33(2) GDPR, processors have to notify controllers “without undue delay” where they identify a personal data breach.^[16] However, any additional obligation to notify data subjects of a “high risk” to their rights and freedoms only falls upon the controller. Article 28(3) GDPR nonetheless explains the role of processors in such situations. According to the provision, services provided to a controller by a processor must be “governed by a contract or other legal act”. In addition, Article 28(3)(f) GDPR specifically requires that this contract or legal act stipulate that the processor “shall” support the controller in ensuring compliance with obligations found under Article 32 to 36 GDPR. Thus, a contract between these parties can specify how the processor can support the controller in respecting the latter’s obligation to communicate the breach as per Article 34 GDPR.

(4) Involvement of the Supervisory Authority

As mentioned previously, the threshold of risk to trigger Article 34 GDPR is higher than in Article 33 GDPR. It is possible to deduce from this condition that wherever controllers have an obligation to communicate a data breach to data subjects under Article 34 GDPR, they will already have notified the relevant supervisory authority in accordance with Article 33(1) GDPR.^[17] Thus, since the supervisory authority should be aware of the data breach, it can also be involved in the controller’s procedure for communicating the breach to affected data subjects as required under Article 34(1) GDPR. Accordingly, Article 34(4) GDPR suggests that the supervisory authority can play a determinative role in indicating that there is a “high risk” to the rights and freedoms of natural persons. As highlighted in this paragraph, the notified supervisory authority can instruct the controller to communicate the breach to the affected data subjects.^[18] The supervisory authority can also decide whether any of the exemptions under Article 34(3) GDPR apply, relieving the controller from its obligation to communicate the personal data breach to affected individuals. Finally, the supervisory authority’s involvement can include the provision of advice to the controller. This advice can relate to the assessment of the risk to the data subjects. For example, the French DPA (CNIL) provides a tool to help controllers assess the gravity of personal data breaches.^[19] The relevant supervisory authority can also provide advice on the method of communicating the breach to data subjects, such as how to identify an adequate channel to notify them, the language to communicate in, and what kind of message to send.^[20]

Decisions

→ You can find all related decisions in Category:Article 34 GDPR

References

↑ As with that provision, there was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Additionally, Article 17 thereof was the only comparable provision, requiring controllers to take adequate measures to protect personal data from breaches. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).
↑ This obligation to notify data subjects exists independently from any obligation to notify the relevant supervisory authority under Article 33 GDPR.
↑ Hence, not all breaches must be communicated.
↑ On this point,see Article 33 GDPR.
↑ Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).
↑ EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 31 ff. (Annex B) (available here).
↑ Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).
↑ Controllers might therefore "wish to contact and consult the supervisory authority not only to seek advice about informing data subjects about a breach in accordance with Article 34, but also on the appropriate messages to be sent to, and the most appropriate way to contact, individuals." See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 21 (available here).
↑ EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 20 (available here).
↑ See Recital 85.
↑ See Article 33 for a discussion on the moment where a data controller becomes “aware” of a data breach, triggering the notification obligation.
↑ Dix in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 8-9 (C.H. Beck 2019).
↑ The encryption must be "state-of-the-art".
↑ See WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 22 (available here).]
↑ In our translation: "Data controllers will have to be able to demonstrate to DPAs that any of these conditions applies". See, Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 662 (Oxford University Press 2020).
↑ See Commentary on Article 33 GDPR.
↑ Notifying the relevant supervisory is an obligation under Article 33 GDPR in cases of a “risk”, not just in cases of a “high risk”.
↑ In accordance with Article 33 GDPR.
↑ Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).
↑ WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 21 (available here).

[1] As with that provision, there was no equivalent to Article 34 GDPR in the Data Protection Directive 95/46/EC. Additionally, Article 17 thereof was the only comparable provision, requiring controllers to take adequate measures to protect personal data from breaches. Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 656 (Oxford University Press 2020).

[2] This obligation to notify data subjects exists independently from any obligation to notify the relevant supervisory authority under Article 33 GDPR.

[3] Hence, not all breaches must be communicated.

[4] On this point,see Article 33 GDPR.

[5] Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).

[6] EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, pp. 31 ff. (Annex B) (available here).

[7] Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).

[8] Controllers might therefore "wish to contact and consult the supervisory authority not only to seek advice about informing data subjects about a breach in accordance with Article 34, but also on the appropriate messages to be sent to, and the most appropriate way to contact, individuals." See, EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 21 (available here).

[9] EDPB, Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0), 28 March 2023, p. 20 (available here).

[10] See Recital 85.

[11] See Article 33 for a discussion on the moment where a data controller becomes “aware” of a data breach, triggering the notification obligation.

[12] Dix in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 34 GDPR, margin numbers 8-9 (C.H. Beck 2019).

[13] The encryption must be "state-of-the-art".

[14] See WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 22 (available here).]

[15] In our translation: "Data controllers will have to be able to demonstrate to DPAs that any of these conditions applies". See, Burton, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 34 GDPR, p. 662 (Oxford University Press 2020).

[16] See Commentary on Article 33 GDPR.

[17] Notifying the relevant supervisory is an obligation under Article 33 GDPR in cases of a “risk”, not just in cases of a “high risk”.

[18] In accordance with Article 33 GDPR.

[19] Bensoussan, Reglement europeen sur la protection des donnees, p. 255. (Bruylant 2017).

[20] WP29, ‘Guidelines on Personal data breach notification under Regulation 2016/679’, 18/EN WP250 rev.01, 3 October 2017, p. 21 (available here).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]