All controllers must report any personal data breach to the supervisory authority in the member state. This must be done with undue delay and the latest within 72 hours since the controller became aware of the breach.
If it is a high risk that the breach exposes data subjects’ rights and freedoms to a negative affection, the controller must inform the potentially affected data subjects and the supervisory authority.
When informing the supervisory authority, the breach should be explained in clear and understandable language, and the information should at least consist of:
- Name and contact details of the controllers’ data protection officer or another contact point where more information can be obtained, if the controller does not have any data protection officer;
- a description of the likely consequences form the data breach; and
- a description of the measures taken or proposed to be taken by the controller to limit the damage of the breach.
This information is crucial for the supervisory authorities to help the controller limit the damage of the breach.