Article 33 of GDPR: Data breach notification obligation
Article 33 of GDPR outlines the procedure to follow in the event of a personal data breach.
Under the terms of GDPR, companies are required to notify a personal data breach to the supervisory authority within 72 hours of becoming aware of the breach.
Data controller’s data breach notification obligation (Article 33(1) GDPR)
In the event of a personal data breach, the data controller is required to report the incident as soon as possible to the relevant supervisory authority but no longer than 72 hours after becoming aware of the data breach.
If a company takes longer than 72 hours to report the breach to the supervisory authority, they must also provide justification as to the cause of the delay.
The data controller will not have an obligation to report the data breach incident if the personal data breach is unlikely to pose any risk on the data subject.
Data processor’s data breach notification obligation (Article 33(2) GDPR)
Similarly, if a data processor, handling or processing personal data on behalf of the data controller becomes aware of a data breach, it must notify the data controller as soon as possible after becoming aware of the data breach.
Content of the data breach notification (Article 33(3) GDPR)
When a data breach notification is required to be sent to the supervisory authorities, GDPR makes it clear as to what the notification should contain.
The data breach notification must contain:
- The nature of personal data breach, including personal data categories, how many data subjects impacted and approximate number of personal data records impacted (Article 33(3)(a) GDPR)
- Name and contact details of the data controller’s data protection officer or point of contact (Article 33(3)(b) GDPR)
- The possible consequences of the data breach (Article 33(3)(c) GDPR)
- What measures have been taken to address the data breach and how is the adverse consequence on data subjects being handled (Article 33(3)(d) GDPR)
Information disclosure (Article 33(4) GDPR)
It may be possible that in some cases, not all the information will be available to the data controller to report to the supervisory authorities.
In such cases, the data controller can disclose the necessary information in phases as the information becomes available to it.
Personal data breach documentation (Article 33(5) GDPR)
The data controller must document any personal data breaches.
In this process, it must document:
- The facts surrounding the data breach
- The effects of the data breach
- The remedial actions taken in light of the data breach
As needed, the data controller must communicate its documented records of data breaches to the supervisory authority.
Recitals applicable to Article 33 of GDPR
Relevant Recitals: 85, 87, 88
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 33 or relevant recitals
GDPR Text: Article 33 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)