TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR Data Breach: Notification Rules, Timelines, and Penalties
Legal Compliance

GDPR Data Breach: Notification Rules, Timelines, and Penalties

Learn what a GDPR data breach is, the 72-hour notification requirement, penalties for non-compliance, and steps to prepare your breach response plan.

TermsBox Team|April 4, 202612 min read

A GDPR data breach is one of the most urgent compliance events any organization can face. The moment you discover that personal data has been compromised, a strict regulatory clock starts ticking, and the decisions you make in the following hours determine whether you face a manageable incident or a regulatory enforcement action.

This guide explains what qualifies as a data breach under the GDPR, the notification obligations under Articles 33 and 34, the penalties for non-compliance, and the practical steps you should take to prepare. This is educational content and not legal advice. Consult a qualified attorney for guidance specific to your circumstances.

What Is a Data Breach Under the GDPR?

Understanding what constitutes a data breach under the GDPR is essential before you can build any response plan. The definition is broader than most people assume.

Article 4(12) of the GDPR defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." This definition covers three categories of breach:

  • Confidentiality breach: unauthorized or accidental disclosure of, or access to, personal data. Examples include a hacking incident that exposes a customer database, or an employee emailing personal records to the wrong recipient.
  • Integrity breach: unauthorized or accidental alteration of personal data. This could be a corrupted database that changes stored records, or an unauthorized party modifying medical files.
  • Availability breach: accidental or unauthorized loss of access to, or destruction of, personal data. A ransomware attack that locks you out of your systems or a server failure that permanently destroys unbackaged customer data both qualify.

The key point is that a GDPR data breach does not require a malicious attacker. Accidental incidents, such as a lost USB drive, a misconfigured cloud storage bucket, or a software bug that deletes records, all fall within the definition.

The 72-Hour GDPR Data Breach Notification Rule

Article 33 of the GDPR establishes one of the regulation's most time-sensitive obligations. When a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, the data controller must notify the competent supervisory authority.

When the Clock Starts

The 72-hour window begins from the moment the controller becomes "aware" of the breach. According to guidance from the European Data Protection Board (EDPB), a controller is considered aware when it has a reasonable degree of certainty that a security incident has occurred and that personal data has been compromised.

This means the clock does not start when a breach is first detected by an automated system. It starts when someone with authority to act has been informed and confirmed that a breach involving personal data has taken place.

What the Notification Must Include

Article 33(3) specifies the minimum content for a supervisory authority notification:

  1. A description of the nature of the breach, including the approximate number of data subjects and records affected
  2. The name and contact details of the Data Protection Officer or other contact point
  3. A description of the likely consequences of the breach
  4. A description of the measures taken or proposed to address the breach and mitigate its effects

If all information is not available within 72 hours, Article 33(4) allows the controller to provide information in phases. The initial notification should include whatever details are available, with supplementary information submitted as the investigation progresses.

Processor Obligations

Data processors have a separate obligation under Article 33(2). After becoming aware of a personal data breach, a processor must notify the controller "without undue delay." The GDPR does not specify a fixed time limit for processors, but the EDPB recommends that processors notify controllers immediately so the controller's 72-hour window can begin. Your data processing agreements should specify concrete notification timescales for processors.

When to Notify Data Subjects

Article 34 of the GDPR requires a separate notification directly to affected individuals when a GDPR data breach is "likely to result in a high risk to the rights and freedoms of natural persons." This is a higher threshold than the supervisory authority notification, which triggers at plain "risk."

Notification to individuals must be made "without undue delay" and in clear, plain language. It must include at minimum:

  • The nature of the breach
  • The DPO or contact point name and details
  • The likely consequences
  • The measures taken or proposed to address the breach

Article 34(3) provides three exceptions where individual notification is not required:

  • The controller has applied appropriate protection measures (such as encryption) that render the data unintelligible to unauthorized parties
  • The controller has taken subsequent measures that ensure the high risk is no longer likely to materialize
  • Individual notification would involve disproportionate effort, in which case a public communication or similar measure is acceptable

The supervisory authority can also order a controller to notify individuals if it determines the breach meets the high-risk threshold and the controller has not already done so.

GDPR Data Breach Penalties

The financial consequences of mishandling a GDPR data breach extend beyond the breach itself. Penalties apply both to the underlying security failure and to any failures in the notification process.

Fines for Notification Failures

Under Article 83(4)(a), failure to properly notify a supervisory authority or affected data subjects of a breach can result in fines of up to 10 million EUR or 2% of global annual turnover, whichever is higher.

Fines for Underlying Violations

If the breach also involves violations of core GDPR principles (such as inadequate security measures under Article 32, or unlawful processing under Article 5), the upper tier of fines applies: up to 20 million EUR or 4% of global annual turnover under Article 83(5).

Real Enforcement Examples

Supervisory authorities across Europe have issued significant fines related to data breaches:

  • British Airways (2020): The UK Information Commissioner's Office fined BA 20 million GBP for a breach affecting approximately 400,000 customers. The fine was reduced from an initial notice of intent of 183 million GBP due to the economic impact of COVID-19, but the case demonstrated that breach-related fines can be substantial.
  • Marriott International (2020): The ICO issued a 18.4 million GBP fine following a breach that exposed 339 million guest records globally, with approximately 30 million relating to EEA residents.
  • Meta (2022): The Irish Data Protection Commission fined Meta 265 million EUR after a scraping incident exposed the personal data of over 500 million Facebook users.
  • Clearview AI (multiple): Several European DPAs have fined Clearview AI for scraping biometric data, with Italy, Greece, and France each issuing fines of 20 million EUR.

These cases show that regulators consider both the severity of the breach and the adequacy of the organization's response when determining penalties.

How to Prepare a GDPR Data Breach Response Plan

Preparation is the most effective way to minimize the impact of a GDPR data breach. Organizations that have a tested response plan consistently handle incidents faster and with better regulatory outcomes.

Establish a Breach Response Team

Define who is involved before a breach occurs. At minimum, your response team should include:

  • A senior decision-maker with authority to approve notifications
  • Your Data Protection Officer (if appointed) or legal counsel
  • IT security personnel who can investigate and contain the breach
  • Communications staff to handle data subject notifications and public statements

Create Detection and Escalation Procedures

Many breaches go undetected for weeks or months. Implement monitoring that can detect anomalies quickly, and establish a clear internal escalation path so that the right people are informed without delay. The faster you reach the "awareness" threshold, the more of your 72-hour window you preserve for investigation and preparation.

Maintain a Breach Register

Article 33(5) requires controllers to document all personal data breaches, regardless of whether they trigger the notification obligation. Your breach register should record:

  • The facts of the breach (what happened, when, how)
  • The effects and consequences
  • The remedial actions taken
  • The rationale for deciding whether to notify the supervisory authority and data subjects

This register serves as evidence of compliance and helps identify patterns that may indicate systemic security issues.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Document Your Processing Activities

Knowing what data you hold and where it is stored is a prerequisite for assessing breach impact. Maintaining an accurate Record of Processing Activities under Article 30 allows you to quickly determine which data subjects and data categories are affected when a breach occurs.

A clear privacy policy that accurately reflects your data processing practices also helps during breach investigations. If your privacy policy states that you process certain categories of data, your breach assessment team can use that as a starting point for impact analysis.

Assessing GDPR Data Breach Severity

Not every security incident triggers the notification obligation. The GDPR requires a risk assessment to determine whether the breach is likely to affect individuals' rights and freedoms.

Risk Assessment Factors

The EDPB recommends considering the following factors when assessing breach severity:

  • Type of breach: Confidentiality breaches involving sensitive data categories (health, financial, or biometric data) generally carry higher risk
  • Nature and sensitivity of the data: Special category data under Article 9 warrants more concern than basic contact information
  • Ease of identification: Can affected individuals be identified directly from the breached data, or only through combination with other sources?
  • Number of individuals affected: Larger-scale breaches carry greater aggregate risk
  • Severity of consequences: Could the breach lead to identity theft, financial loss, discrimination, or reputational damage?
  • Special characteristics of the individuals: Breaches involving children, employees, or other vulnerable groups are treated more seriously

When Notification May Not Be Required

A breach may not require supervisory authority notification if it is unlikely to result in any risk to individuals. Common scenarios include:

  • Encrypted data is lost or stolen, and the encryption key was not compromised
  • Personal data is briefly unavailable due to planned maintenance, and no external access occurred
  • Data was sent to the wrong internal recipient who had authorized access to similar data, and they confirmed deletion

Even in these cases, the breach must be recorded in your internal breach register.

Common GDPR Data Breach Mistakes

Organizations frequently make avoidable errors when handling data breaches. Being aware of these pitfalls helps you avoid compounding a bad situation.

Delaying the internal assessment. Some organizations spend too long investigating before beginning the notification process. Remember that Article 33(4) allows phased notifications. Start the process with available information and supplement it later.

Underestimating the scope. Initial assessments often undercount affected individuals. Build in buffers and update your notification as the investigation reveals the full picture.

Failing to notify processors or sub-processors. If a breach occurs at a processor, the controller is still responsible for supervisory authority notification. Ensure your data processing agreements include clear breach notification clauses.

Not documenting the decision-making process. Even when you decide that notification is not required, document why. Supervisory authorities may later question your assessment, and contemporaneous records are your best defense.

Ignoring cross-border implications. If your organization processes data across multiple EU member states, you may need to work with a lead supervisory authority under Article 56. The one-stop-shop mechanism simplifies this, but you must identify the correct lead authority in advance.

Tools like the TermsBox compliance scanner can help you maintain an ongoing picture of what data your website collects, making breach impact assessments faster when incidents occur.

GDPR Data Breach Notification Template

While every breach notification must be tailored to the specific incident, having a template structure reduces response time. Your supervisory authority notification should follow this structure:

  1. Organization details: Name, registration number, contact information, DPO details
  2. Breach description: What happened, when it was discovered, when you became aware
  3. Data categories affected: Types of personal data involved (names, emails, financial data, health data, etc.)
  4. Data subjects affected: Approximate number and categories (customers, employees, website visitors)
  5. Likely consequences: What risks do affected individuals face as a result
  6. Measures taken: Immediate containment actions, ongoing investigation steps, planned remediation
  7. Cross-border element: Whether data subjects in other member states are affected

For individual notifications under Article 34, use plain language that a non-specialist can understand. Avoid legal jargon and focus on what the individual should do to protect themselves.

Your privacy policy should also describe how you handle data breaches and how individuals will be notified, reinforcing transparency even before an incident occurs.

Frequently Asked Questions

What is a data breach under the GDPR?

Under Article 4(12) of the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This covers everything from ransomware attacks and stolen laptops to misdirected emails containing personal information.

How quickly must a GDPR data breach be reported?

Article 33 of the GDPR requires data controllers to notify their supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals. If the 72-hour deadline cannot be met, the notification must include reasons for the delay. Processors must notify controllers without undue delay after discovering the breach.

What are the penalties for failing to report a GDPR data breach?

Failure to notify a breach can result in administrative fines of up to 10 million EUR or 2% of global annual turnover under Article 83(4)(a) of the GDPR. If the underlying breach also involves violations of core processing principles, fines can reach up to 20 million EUR or 4% of turnover.

Do all data breaches need to be reported under the GDPR?

No. Article 33(1) states that notification is required only when the breach is likely to result in a risk to the rights and freedoms of natural persons. Breaches that are unlikely to cause harm, such as encrypted data that remains unreadable to unauthorized parties, may not require supervisory authority notification. However, all breaches must be documented internally under Article 33(5).

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: Complete Guide to privacy.apple.com

Learn how to use Apple's data & privacy website to download, manage, and delete your personal data. Step-by-step guide to privacy.apple.com.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is a Data Breach Under the GDPR?
  • The 72-Hour GDPR Data Breach Notification Rule
  • When the Clock Starts
  • What the Notification Must Include
  • Processor Obligations
  • When to Notify Data Subjects
  • GDPR Data Breach Penalties
  • Fines for Notification Failures
  • Fines for Underlying Violations
  • Real Enforcement Examples
  • How to Prepare a GDPR Data Breach Response Plan
  • Establish a Breach Response Team
  • Create Detection and Escalation Procedures
  • Maintain a Breach Register
  • Document Your Processing Activities
  • Assessing GDPR Data Breach Severity
  • Risk Assessment Factors
  • When Notification May Not Be Required
  • Common GDPR Data Breach Mistakes
  • GDPR Data Breach Notification Template
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.