Article 34 of GDPR: Data breach notification to data subjects
Article 32 of GDPR imposes further data breach notification obligations on the data controller, this time directly notifying the data subjects concerned with the data breach in the event there may be a high risk of adverse consequence on them.
Data breach notification obligation to data subjects (Article 34(1) GDPR)
When a company suffers a data breach and where there may be a high level of risk of adverse consequence on the data subjects, in addition to notifying the supervisory authorities, companies must report the same directly to the data subjects concerned.
The controller must notify the data subjects as soon as possible.
Content of data breach notification to data subjects (Article 34(2) GDPR)
An organization must inform the individuals impacted by the data breach in simple and clear terms.
The notification should contain:
- The nature of the data breach
- Name and contact details of the data controller’s data protection officer or point of contact
- The possible consequences of the data breach
- What measures have been taken to address the data breach and how is the adverse consequence on data subjects being handled
Instances when a data breach notification to data subjects is not required (Article 34(3) GDPR)
In some cases, GDPR exempts companies from notifying data subjects of a personal data breach.
Here are the instances where data notification to data subjects are not required:
- When the data was encrypted and the data could not be used even in the context of a data breach (Article 34(3)(a) GDPR)
- The company has taken necessary measures so as to prevent any important risk of adverse consequence to the individuals concerned (Article 34(3)(b) GDPR)
- The effort to notify to directly notify the data subjects would result in a disproportionate effort although the company should consider making a public communication or take other measures to notify the data subjects (Article 34(3)(c) GDPR)
Supervisory authority imposing notification to data subjects (Article 34(4) GDPR)
Should the supervisory authorities consider that a data breach could result in an important risk to data subjects, it may require the data controller to notify the data subjects in accordance with the terms of Article 34 of GDPR.
The supervisory authority also has the power to determine that a data controller is exempt from notifying the data subjects based on Article 34(3).
Recitals applicable to Article 34 of GDPR
Relevant Recitals: 86, 87, 88
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 34 or relevant recitals
GDPR Text: Article 34 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)