Iubenda logo
Start generating


Table of Contents

GDPR Data Breach Notification

What should a GDPR data breach notification include? When do you need to report a data breach? Is it always mandatory to report it?
In this post, we’ll answer all these questions and show you what a GDPR data breach should include.

GDPR Data Breach Notification

The EDPB has published updated guidelines 9/2022 on personal data breach notification under the GDPR. The guidelines “clarify notification requirements for personal data breaches at non-EU establishments” and require that member states supervisory authorities are notified of such breaches when affected data subjects reside in a particular member state.

What is a data breach?

A data breach is a security incident that can lead to the destruction, loss, alteration, or unauthorized sharing of personal data. It can be both deliberate, caused by an external cyberattack, or accidental.

Indeed, some of the most common causes of a data breach are the lack of appropriate security systems and carelessness. For instance, devices containing confidential data get lost or stolen, employees give access to data to the wrong person.

Even though unintentional and probably harmless, these are still data breaches.

When do you need to report a data breach?

According to Article 33 of GDPR, you don’t need to report every data breach, but only those that are likely to result in a risk to individuals’ rights and freedoms.

If you happen to be a victim of such a data breach, you need to notify the Supervisory Authority within 72 hours, and you must inform users whose data was affected, too.

Failing to report such a data breach can expose you to fines up to €20 million or 4% of your annual worldwide turnover, not to mention, a lack of transparency can pose a devastating blow to your reputation and lead to loss of trust from your customers.

Please note that, whether you should report the breach or not, you need to keep records of all the breaches that happened to your company, no matter how insignificant they may be. Records will help authorities assessing that you’re complying with the law.

What should a GDPR Data Breach Notification include?

The GDPR mandates that a data breach notification includes, at the very least:

  1. a description of the data breach’s nature, including how many data subjects have been involved (approximately) and which categories of data have been affected;
  2. the name and contact details of the data protection officer, or any other contact where more information can be obtained;
  3. a description of the possible consequences of the breach;
  4. a description of the measures that the controller has taken or will take to address the data breach.

If you’re still in doubt, have a look at the ICO’s website here for some useful resources that can help you to understand what to do if a data breach happens.

💡 Keeping clear and detailed records of your internal processing activities can help you to stay on top of your processes and more easily access potential risks.

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.


📬 Want the latest news on Data Protection and Privacy delivered to your inbox? Join the list @ dponewsletter.com

See also