GDPR Data Breach Notification: What the 72-Hour Rule Really Means

What Counts as a Personal Data Breach

GDPR Article 4(12) defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data." That's deliberately broad.

Real-world examples that qualify: an S3 bucket set to public that contained user records, a support agent who emailed a customer's order history to the wrong person, a laptop stolen from a car that had unencrypted customer data, ransomware that encrypted your database (even if you pay and get it back), and a developer who left an admin endpoint unprotected and someone accessed it. Your data retention practices directly affect breach impact — the less old data you hold, the lower the exposure.

The breach doesn't have to be malicious. Accidental exposure counts. Your own employees accessing data they shouldn't counts.

When Does the 72-Hour Clock Start?

The clock starts when you "become aware" of the breach. Not when the breach happened. Not when you've fully investigated it. When someone in your organization first has reason to believe a breach has occurred.

This matters because breaches are often discovered after the fact. If someone finds your S3 bucket was public for two weeks, the 72-hour window opens when you discover that — not when the bucket was first exposed.

If you use a processor (like a cloud hosting provider) and they suffer a breach, their obligation is to notify you "without undue delay." Your 72-hour window to notify your supervisory authority starts from when they tell you. For SaaS products, having a documented breach response plan in place before a breach occurs is essential.

Article 33 vs Article 34: Two Different Obligations

This is where most guides skip the nuance. GDPR has two separate notification obligations for breaches, and they have different thresholds.

Article 33 requires you to notify your supervisory authority (the DPA in your lead EU member state) within 72 hours if the breach "is likely to result in a risk to the rights and freedoms of natural persons." This is a relatively low bar — most breaches involving more than trivial personal data will cross it.

Article 34 requires you to also notify the affected individuals if the breach "is likely to result in a high risk to the rights and freedoms of natural persons." The threshold is meaningfully higher. Minor incidents — a brief accidental disclosure that was immediately contained — may require supervisory authority notification but not user notification.

What Your Notification Must Contain

Article 33(3) specifies the content for supervisory authority notifications. You need to describe: (a) the nature of the breach including categories and approximate number of individuals and records affected; (b) contact details of your DPO or data protection contact; (c) likely consequences of the breach; (d) measures taken or proposed to address the breach.

You can submit an initial notification within 72 hours with incomplete information, then provide additional details later. The regulation explicitly permits phased notification when you don't have everything in time. Document why information is missing and when you expect to have it.

Where to Report

Your lead supervisory authority is the DPA in the EU member state where your "main establishment" is — usually where your EU headquarters or decision-making center is. If you're a UK or US company without an EU establishment, you report to the DPA of the member state where your affected users are located.

Key portals: ICO (UK) at ico.org.uk/report-a-breach, CNIL (France) at notifications.cnil.fr, BfDI (Germany) at bfdi.bund.de, and the DPC (Ireland) at forms.dataprotection.ie/report-a-breach.