Personal Data Breaches: Notification under Articles 33–34

A personal data breach is broader than a hacker stealing data. Article 4(12) defines it as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Privacy professionals group these into three types: a confidentiality breach, where data is disclosed or accessed without authorisation; an integrity breach, where data is altered without authorisation; and an availability breach, where data is lost or destroyed or made inaccessible.

So a stolen laptop, an email sent to the wrong recipient, and a ransomware attack that locks you out of your own records are all breaches, even the availability one where nobody stole anything. The exam tests that wide definition.

Article 33 sets the rule everyone remembers, but the details matter. When a controller becomes aware of a personal data breach, it must notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two hours after becoming aware of it. The clock starts at awareness, not at the moment the breach happened.

There is one exception: notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. So the test for notifying the authority is risk, any risk, unless it is unlikely to pose one. And if you miss the seventy-two hours, you must give reasons for the delay.

The exam often asks you to apply both the clock and the risk threshold.

Article 33 also specifies the content of the notification to the authority. At minimum you describe the nature of the breach, including the categories and approximate number of data subjects and records affected; you give the name and contact details of the data protection officer or other contact point; you describe the likely consequences of the breach; and you describe the measures taken or proposed to address it and mitigate harm. If you do not have all the details within seventy-two hours, you may provide the information in phases.

And separately, whether or not you notify the authority, the controller must document every breach internally, the facts, effects, and remedial action, so the regulator can verify compliance. That internal record is part of accountability.

Article 34 governs telling the affected individuals, and it uses a higher threshold. You must communicate the breach to the data subjects only when it is likely to result in a high risk to their rights and freedoms. So notice the two-tier structure the exam loves: the authority gets told whenever there is a risk, but individuals get told only when there is a high risk.

The communication to individuals must be in clear and plain language and describe the likely consequences and the measures taken. There are exceptions to telling individuals: if the data was encrypted or otherwise unintelligible, if you have since taken measures that mean the high risk is no longer likely to materialise, or if individual contact would involve disproportionate effort, in which case a public communication may suffice.

One role point: when a processor discovers a breach, it does not notify the supervisory authority itself; under Article 33(2) it must notify the controller without undue delay, and the controller then handles the authority notification. Now two quick worked examples. A laptop is lost, but its disk was strongly encrypted and the key was not compromised.

You will likely still log it and assess it, but the encryption may mean there is no high risk to individuals, so Article 34 communication may not be required. Contrast that with a leak of unencrypted medical records: that is high risk, so you notify the authority within seventy-two hours under Article 33 and communicate to the affected patients under Article 34. Practising this two-threshold reasoning is exactly what the exam rewards.

So here is the breach playbook. A breach can be a loss of confidentiality, integrity, or availability. Under Article 33, the controller notifies the supervisory authority without undue delay and within seventy-two hours of becoming aware, unless the breach is unlikely to pose a risk.

Under Article 34, the controller communicates to the affected individuals only when the breach is likely to cause a high risk, subject to exceptions like encryption. A processor notifies the controller, not the authority. And every breach gets documented internally.

Next, we begin data subject rights, starting with access, rectification, and the famous right to be forgotten. First, go test yourself on breach notification.