A personal data breach is one of those events every organisation hopes will never happen — and one for which every organisation needs a documented procedure before it does. The GDPR introduced a mandatory 72-hour notification requirement that fundamentally changed how organisations respond to security incidents. But in practice, how that requirement is applied — and how supervisory authorities enforce it — varies significantly across the EU.

What Constitutes a Personal Data Breach

Article 4(12) GDPR defines a personal data breach as a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Three types of breach are distinguished:

Confidentiality breach — unauthorised or accidental disclosure of personal data to a third party, or access to it by an unauthorised person. Examples: an email sent to the wrong recipient, a lost USB drive, a hacking incident, an employee accessing data they had no authorisation to access.

Integrity breach — unauthorised or accidental alteration of personal data. Examples: data modified by a ransomware attack, accidental overwriting of records.

Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data. Examples: a server failure causing loss of data, a ransomware attack encrypting data without available backups.

A ransomware attack typically constitutes all three types simultaneously: data is encrypted (availability breach), possibly exfiltrated (confidentiality breach), and its integrity cannot be guaranteed

The 72-Hour Rule — What It Means in Practice

Article 33 GDPR requires the controller to notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it — unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Three elements require careful attention:

“Becoming aware” — the clock starts when the controller has reasonable certainty that an incident has occurred, not when the investigation is complete. Supervisory authorities take the position that if an employee reports a suspicious incident, the controller has “become aware” and the 72 hours begin. Conducting an investigation before reporting — and thereby exceeding 72 hours — is a frequently cited violation.

“Where feasible” — where it is not possible to complete the notification within 72 hours, it may be submitted in phases. An initial notification within 72 hours, stating what is known, followed by a supplementary notification once more information is available, satisfies the requirement.

Risk threshold — not every breach requires notification to the supervisory authority. The test is whether the breach is “likely to result in a risk to the rights and freedoms” of affected individuals. A low-risk breach — for example, accidental deletion of data that was immediately recoverable from backup — may not require notification. But the assessment must be documented regardless: absence of notification must be justified.

When Must Data Subjects Be Notified

Article 34 GDPR imposes a separate obligation to notify affected individuals — but only where the breach is likely to result in a high risk to their rights and freedoms (a higher threshold than for supervisory authority notification).

The notification to data subjects must be made without undue delay — there is no specific time limit equivalent to the 72 hours, but supervisory authorities expect prompt action.

The notification must describe:

• the nature of the breach
• the name and contact details of the DPO or contact point
• the likely consequences of the breach
• the measures taken or proposed to address the breach and mitigate its possible adverse effects

Notification to data subjects may be avoided where: the controller has implemented appropriate technical protection measures (e.g. encryption) that render the data unintelligible to anyone without the decryption key; the controller has taken subsequent measures that ensure the high risk is no longer likely to materialise; or notification would involve disproportionate effort (in which case a public communication may substitute).

How Enforcement Differs Across Europe

The GDPR’s breach notification rules are uniform — but supervisory authority enforcement varies considerably across member states:

Germany — the 16 German state data protection authorities (Datenschutzbehörden) each have their own approach. Some (notably Hamburg and Baden-Württemberg) are among the most active enforcers in Europe. Germany has the highest volume of reported breaches in the EU by absolute numbers — partly reflecting a culture of compliance and partly the fragmented regulatory structure. German authorities actively investigate whether the 72-hour deadline was met and whether the risk assessment was properly documented.

France — CNIL — the CNIL is one of the most active supervisory authorities in Europe and has made breach notification a priority area. France imposes fines not only for failure to notify but for deficient notifications — where the risk assessment was inadequate or the information provided to the supervisory authority was incomplete. The CNIL fined a healthcare operator in 2024 following a breach affecting 33 million patients, where the delay in notification and the inadequacy of security measures were both cited.

Netherlands — AP — the Dutch AP receives a high volume of breach notifications and has taken the position that breach notification procedures must be part of every organisation’s documented GDPR implementation. The AP actively pursues organisations that fail to notify breaches involving health data or financial data, where the risk to individuals is highest.

Ireland — DPC — as the lead supervisory authority for many major technology companies under the one-stop-shop mechanism, the DPC handles a disproportionate volume of significant breach notifications. The DPC’s approach has been criticised as slow by other supervisory authorities, but major cases — including the Meta WhatsApp breach fine of €225 million in 2021 — have demonstrated its willingness to impose large penalties.

Poland — UODO — the UODO published updated guidance on breach notification in January 2025, tightening the requirement to conduct a risk assessment for every incident regardless of apparent severity. Poland’s enforcement has focused particularly on the healthcare sector and public administration.

Spain — AEPD — Spain has one of the highest volumes of breach notifications in the EU and the AEPD is a frequent enforcer of notification deadlines. Spanish organisations in the financial and telecommunications sectors have been fined for late notification and for inadequate security measures that contributed to breaches.

What to Include in a Breach Register

Article 33(5) GDPR requires every controller to document all personal data breaches — including those not reported to the supervisory authority — in an internal breach register.

The register must contain:

• facts relating to the breach (what happened, when, how discovered)
• its effects (categories and approximate number of individuals affected, categories and approximate volume of records affected)
• remedial action taken

The breach register is a standard document requested during supervisory inspections — including as evidence that the controller assessed non-reported incidents and documented the reasons for non-notification.

Building a Breach Response Procedure

An organisation that discovers a breach and has no documented procedure typically wastes the first 24 hours on internal confusion — identifying who is responsible, who needs to be informed, and what information needs to be gathered. By the time decisions are made, the 72-hour window is already closing.

A breach response procedure should cover:

Detection and escalation — who receives incident reports, what constitutes a potential breach, how to escalate to the person responsible for GDPR decisions.

Initial assessment — within the first hours: what data is involved, how many individuals, what type of breach, what is the likely risk level.

Decision on notification — is notification to the supervisory authority required? If not — why not, and is it documented? If yes — who prepares and submits the notification?

Communication to data subjects — is individual notification required? If notification to all affected individuals would involve disproportionate effort — is a public communication appropriate?

Documentation — regardless of the notification decision, every assessed incident must be entered in the breach register.

Post-incident review — what caused the breach, what security measure failed, what corrective action is needed.

Most Common Violations in Breach Management

Exceeding the 72-hour deadline. The most common violation — typically because the organisation waited for the investigation to be complete before notifying. Supervisory authorities consistently confirm: notify what you know, supplement later.

Failure to notify low-to-medium risk breaches. Organisations often conclude — without a documented risk assessment — that a breach does not require notification. The absence of documentation is the problem: the decision not to notify must be as well documented as the decision to notify.

No breach register. Absence of a documented breach register, including non-reported incidents, is a deficiency regularly identified during supervisory inspections.

Inadequate security measures as a contributing factor. Supervisory authorities increasingly combine breach notification findings with findings about the security measures that failed — leading to compound penalties under Articles 33 and 32 simultaneously.

Treating ransomware as an IT problem, not a GDPR event. A ransomware attack is almost always a personal data breach. Many organisations still treat it as a pure IT/security incident and notify IT support without triggering the GDPR breach response procedure.

Summary

A personal data breach is any security incident resulting in accidental or unlawful destruction, loss, alteration, disclosure of, or access to personal data. Notification to the supervisory authority within 72 hours is required unless the breach is unlikely to result in a risk to individuals’ rights. Notification to data subjects is required where there is a high risk. Every assessed incident — including those not notified — must be documented in a breach register. Enforcement varies across EU member states but the consistent requirement is: notify promptly, document your risk assessment, and have a procedure in place before the breach occurs.

FAQ