When does the 72h deadline begin?

With awareness. ECJ C-340/21: Knowledge of relevant facts — not after internal assessment.

Must we report minor breaches?

No. Art. 33(1): Only for 'likely risk to rights and freedoms'. In practice 90% of breaches are reportable, but not always pursued.

For cross-border processing: lead authority. For national: competent state DPA.

What if we miss the 72h deadline?

Justification of delay required. Art. 33(1): 'without undue delay' + max 72h. For delay: €5-50k median fines.

When to inform data subjects?

Art. 34: For 'likely high risk to personal rights'. Examples: health data, financial data, identity data in larger numbers.

Newsletter information sufficient?

No. Art. 34: 'without delay' + 'in clear and plain language'. Personal email to affected.

72h data breach notification: the precise procedure (Articles 33 + 34 GDPR)

As of: 02 May 2026 · Last review: 02 May 2026· Category: GDPR

Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding advice, please consult a licensed attorney.

TL;DR

72h deadline starts when the breach becomes known (CJEU C-340/21)
Threshold: "likely to result in a risk" — 90% of all breaches are notifiable
Article 34 (notification to data subjects) in cases of "high risk" — health, financial, identity data
Documentation obligation also for non-notifiable breaches (Article 33(5))
Fines for late notification: EUR 5,000-50,000 median in 2025 — for under-reporting, EUR 50,000+ not uncommon

1. Articles 33 + 34 GDPR

"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority..." — Article 33(1) GDPR

Two levels:

Article 33: notification to the supervisory authority (always where there is a risk)
Article 34: information to data subjects (only in cases of high risk)

2. When is notification mandatory?

Example	Risk	Article 33?	Article 34?
Encrypted hard drive lost	low	no	no
Unencrypted HDD lost	high	YES	YES
E-mail to wrong recipient (master data)	low	YES	no
E-mail to wrong recipient (health data)	high	YES	YES
Ransomware with data exfiltration	high	YES	YES
Phishing attempt detected + repelled	none	no	no
Database backup stolen without encryption	high	YES	YES
Web form hacked with master data	medium	YES	variable

3. 72h response plan

Hour	Activity	Responsible
0-2h	Detection + crisis team activated	IT/SOC + Compliance
2-8h	Containment + initial forensics	IT team
8-24h	Classification: data categories affected + number + risk	DPO + Compliance
24-48h	Draft supervisory authority notification + management statement	DPO + managing director
48-72h	Submit notification + document confirmation	DPO
parallel	For Article 34: prepare notification to data subjects	DPO + Marketing

4. Notification to the supervisory authority

Mandatory contents (Article 33(3)):

Description of the breach (nature, circumstances)
Approximate number of data subjects affected + records
Data categories
Likely consequences
Remedial measures
Measures to mitigate harm
Contact details DPO / controller

Online portals for notification:

BfDI: bfdi.bund.de/datenpannen
BlfD Bavaria: lda.bayern.de
State-level data protection authorities: each with their own portals

5. Article 34: notification to data subjects

In cases of "high risk" to the rights and freedoms of data subjects — e.g. health data, financial data, identity documents.

Mandatory contents:

Clear description of the breach in plain language
Contact details DPO
Likely consequences
Measures to mitigate harm
Measures recommended to the data subject (change password, contact bank)

Exceptions under Article 34(3):

Encryption was effective (key not also compromised)
Measures effectively averted the risk
Disproportionate effort → public information instead

6. Mandatory documentation (Article 33(5))

Document EVERY data breach — including non-notifiable ones!

Date + time of occurrence + becoming aware
Detailed description
Consequences + risk assessment
Measures
Reasoning if no notification was made

7. 8 practical cases

Case	Response	Outcome
Law firm: e-mail sent to wrong recipient (50 client files)	72h notification + Article 34 information + recipient asked to delete	Fine EUR 8,500 (cooperative handling)
Online shop: SQL injection stole 25,000 customer records	72h notification + Article 34 information by e-mail to all data subjects	Fine EUR 45,000
HR software: 100 payslips incorrectly allocated	72h notification, no Article 34 (not high risk)	Warning, no fine
Health insurer: backup hard drive lost unencrypted	72h notification + Article 34 immediately	Fine EUR 250,000 (Article 9 data)
SaaS provider: customer data retrievable via API bug	72h notification + patch + Article 34	Fine EUR 120,000
Mid-sized company: phishing e-mail to board, no data leak	Documentation, no notification	Documentation audit successful
Cloud host: hardware defect with data loss	72h notification due to availability breach	Fine EUR 30,000
Insurance company: employee insider sold 1,000 customer records	Immediate notification + Article 34 + criminal complaint	Fine EUR 80,000 + damages

Data breach procedure + notification template + 8 escalation templates in the GDPR Kit.

Sources

Regulation (EU) 2016/679 (GDPR) — Art. 33 + 34 breach notification (As of: 2026-05-02)
CJEU C-340/21 — awareness threshold (Art. 33 GDPR) (As of: 2026-05-02)
EDPB Guidelines 04/2022 — calculation of administrative fines (As of: 2026-05-02)