GDPR Breach Notification Template: Article 33 Compliance Guide

A GDPR breach notification is the mandatory report that data controllers must submit to their supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. Article 33 of the General Data Protection Regulation specifies the required content fields, timing obligations, and phased reporting provisions. This guide provides a practical template covering every required field, common supervisory authority expectations, and the process controls that prevent missed deadlines.

What fields does Article 33 require in a breach notification?

Article 33(3) specifies four categories of information that must be included in every supervisory authority notification. The notification must describe the nature of the breach, identify the data protection officer contact, describe the likely consequences, and outline the measures taken or proposed.

The regulation permits phased reporting. If the controller cannot provide all information within 72 hours, Article 33(4) allows information to be provided in phases without undue further delay. This provision is essential for complex incidents where the full scope is not known within the initial window.

When exactly does the 72-hour notification clock start?

The 72-hour clock begins when the data controller becomes "aware" of a personal data breach. The European Data Protection Board (EDPB) has provided guidance clarifying that awareness occurs when the controller has a reasonable degree of certainty that a security incident has compromised personal data.

This distinction matters in practice. A SIEM alert about suspicious network activity does not automatically start the clock. The clock starts when the investigation confirms that personal data was actually or likely compromised. However, organizations cannot deliberately delay investigation to postpone the clock. The EDPB guidelines state that a controller should take reasonable steps to assess whether personal data has been breached promptly after initial indication.

How do you determine if a breach requires notification?

Not every personal data breach requires supervisory authority notification. Article 33(1) applies only when the breach is "likely to result in a risk to the rights and freedoms of natural persons." The assessment requires evaluating several factors.

• Type of breach: Confidentiality breaches (unauthorized access) generally carry higher risk than availability breaches (temporary loss of access)
• Nature of data: Special categories under Article 9 (health, biometric, racial data) trigger higher risk assessments
• Number of affected individuals: Larger numbers increase the likelihood of risk
• Ease of identification: Pseudonymized data that can be re-identified carries more risk than fully anonymized data
• Severity of consequences: Financial loss, identity theft, discrimination, or damage to reputation

Even when notification is not required, Article 33(5) mandates that all breaches be documented internally, including the facts, effects, and remedial actions. This internal documentation must be available to the supervisory authority on request. The full text of Article 33 details these requirements.

What does the supervisory authority notification process look like?

Each EU/EEA supervisory authority has its own notification portal and form, but the required content follows Article 33. The process typically involves an online submission through the authority's breach notification portal, followed by acknowledgment and potential follow-up questions.

For organizations subject to GDPR that also have U.S. operations, the notification landscape becomes more complex. State breach notification laws may apply simultaneously. The IR-OS regulatory deadline tracker manages overlapping notification windows across jurisdictions, ensuring that meeting one deadline does not cause you to miss another.

When personal data processing spans multiple EU member states, the controller must notify the lead supervisory authority, which is the authority in the member state where the controller has its main establishment. Cross-border breach notification requires understanding the one-stop-shop mechanism established by GDPR Article 56.

When must you notify affected individuals under Article 34?

Article 34 creates a separate obligation to notify affected data subjects directly when the breach is likely to result in a "high risk" to their rights and freedoms. The threshold is higher than the supervisory authority notification threshold.

Notification to individuals is not required if the controller has applied encryption or other technical measures that render data unintelligible to unauthorized parties, if the controller has taken subsequent measures that ensure the high risk is no longer likely to materialize, or if individual notification would involve disproportionate effort (in which case a public communication is acceptable).

Individual notifications must be in clear and plain language and must describe the nature of the breach, provide DPO contact details, describe likely consequences, and outline the measures taken. The EDPB guidelines provide detailed examples of when individual notification is and is not required.

How should you prepare your notification process before a breach occurs?

Preparing the notification process in advance is the single most effective way to meet the 72-hour deadline. Organizations that draft templates, pre-identify their supervisory authority, and establish internal escalation procedures during calm periods consistently outperform those that start from scratch during an incident.

Preparation should include pre-drafted notification templates with placeholder fields for breach-specific details, a documented decision tree for assessing notification requirements, identified supervisory authority contacts and portal access credentials, internal escalation procedures with defined roles and decision authority, and regular tabletop exercises that include the notification workflow.

The IR-OS Incident Response Playbook includes GDPR notification as an integrated workflow step rather than a separate process. This integration ensures that notification is not forgotten in the chaos of incident response and that the timeline evidence is captured automatically.

Organizations that practice breach notification workflows through tabletop exercises report 70% faster notification times during actual incidents compared to organizations that encounter the process for the first time during a real breach.

Frequently Asked Questions

Can we send a preliminary notification and update it later?

Yes. Article 33(4) explicitly permits phased reporting. You can submit an initial notification within 72 hours with the information available, then supplement it with additional details as your investigation progresses. Supervisory authorities prefer timely preliminary notifications over late complete ones. Document each supplemental submission in your incident record.

Does the 72-hour clock include weekends?

Yes. The 72-hour period runs continuously and includes weekends and holidays. If you become aware of a breach at 3:00 PM on Friday, your deadline is 3:00 PM on Monday. This is why preparation and pre-drafted templates are essential. You cannot wait until Monday morning to begin the notification process.

What if we are a processor, not a controller?

Data processors must notify the data controller without undue delay after becoming aware of a breach. The processor does not notify the supervisory authority directly. However, the processor must provide sufficient information to enable the controller to fulfill its Article 33 obligations within the 72-hour window. Processing agreements should define specific processor notification timelines.