Article 33

1 Mar 2022

Article 33 states that controllers must notify the supervisory authority if a personal data breach occurs. It also states that processors must notify controllers in case of a breach.

All controllers must report any personal data breach to the supervisory authority in the member state. This must be done with undue delay and the latest within 72 hours since the controller became aware of the breach.

If it is a high risk that the breach exposes data subjects’ rights and freedoms to a negative affection, the controller must inform the potentially affected data subjects and the supervisory authority.

When informing the supervisory authority, the breach should be explained in clear and understandable language, and the information should at least consist of:

Name and contact details of the controllers’ data protection officer or another contact point where more information can be obtained, if the controller does not have any data protection officer;
a description of the likely consequences form the data breach; and
a description of the measures taken or proposed to be taken by the controller to limit the damage of the breach.

This information is crucial for the supervisory authorities to help the controller limit the damage of the breach.

Article 34-When to notify your employees of an HR-data breach.

Related Terms:

European Essential Guarantees Recommendations

Data Protection Officer (DPO) guide

DPO conflict of interest

New SCCs from EU – the Definitive Guide

Legitimate Interest Assessment – all You Need to Know

GDPR article 49 derogations applicable to international transfers

How GDPR Affects Recruitment

Retention Policy – An overview

Follow to stay updated

most viewed

Schrems II a summary – all you need to know

What is a Personal Data Breach?

Audit Powers of the Data Protection Authority: How to Prepare

trending now

DPO conflict of interest

Schrems II a summary – all you need to know

Extra sensitive data