Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
A personal data breach within the meaning of Article 4(12) GDPR is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data. Where a risk is likely: 72-hour notification obligation to the supervisory authority (Article 33). Where a high risk is likely: additional notification to data subjects (Article 34).
Availability: loss, destruction (server crash without backup, destroyed records)
Practical example
Practical examples:
- Phishing incident with compromised employee credentials → confidentiality
- Misdirected email containing personal data → confidentiality
- Ransomware attack with encrypted databases → availability + integrity
- Loss of an unencrypted laptop → confidentiality
Frequently asked questions
Does the 72-hour deadline apply at night and on weekends?
Yes. The deadline starts running upon awareness (not from the incident itself). In practice: 24/7 availability of the DPO and IT Security is mandatory.
What if I only gain clarity after 72 hours?
Notify nonetheless on the basis of current knowledge — Article 33(4) permits notification in phases.
Must I always inform data subjects?
Only where a high risk is likely (Article 34). Otherwise, notification to the supervisory authority plus internal documentation is sufficient.