The General Data Protection Regulation (GDPR) is built around one core idea: personal data must be protected, and when something goes wrong, transparency and accountability are essential. Among all GDPR provisions, Article 33 plays a critical operational role because it governs what organizations must do when a personal data breach occurs.
Article 33 does not try to prevent breaches—that responsibility is covered by technical and organizational measures elsewhere in the GDPR. Instead, Article 33 focuses on damage control, risk mitigation, and regulatory oversight. It defines when, how, and under what conditions a controller must notify the supervisory authority about a breach.
Many organizations misunderstand Article 33. Some believe every breach must be reported. Others assume reporting is optional if no harm has occurred. In reality, Article 33 sets out a nuanced, risk-based approach that requires careful assessment, documentation, and timely action.
What Is GDPR Article 33?
Article 33 governs the notification of a personal data breach to the supervisory authority.
In simple terms, it answers four key questions:
- Who must notify?
- When must notification happen?
- What information must be included?
- What if notification is delayed or not required?
Article 33 applies only to controllers, not processors—although processors have their own obligations to inform controllers without undue delay.
What Counts as a Personal Data Breach?
Before understanding notification duties, it is essential to understand what qualifies as a personal data breach.
A personal data breach is:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
This definition is intentionally broad and covers three main categories:
1. Confidentiality Breach
Unauthorized disclosure or access to personal data. Examples:
- Sending personal data to the wrong recipient
- Hacking incidents
- Exposed databases
2. Integrity Breach
Unauthorized alteration of personal data. Examples:
- Data manipulation by an attacker
- Accidental corruption of records
3. Availability Breach
Loss of access to personal data. Examples:
- Ransomware encryption
- Accidental deletion without backups
If any of these involve personal data, Article 33 may apply.
Who Is Responsible for Notification?
The Controller’s Responsibility
Under Article 33, the data controller is solely responsible for notifying the supervisory authority.
Even if the breach occurred at a processor (for example, a cloud provider), the legal obligation to notify lies with the controller.
The Processor’s Role
Processors must:
- Notify the controller without undue delay after becoming aware of a breach
- Provide sufficient details to allow the controller to assess risk and comply with Article 33
Failure by a processor to inform the controller can itself be a GDPR violation.
When Must a Breach Be Reported?
The 72-Hour Rule
Article 33 requires notification:
Without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach
Key points:
- The clock starts when the controller becomes aware of the breach—not when it happened
- “Where feasible” allows limited flexibility, not open-ended delays
- Regulators expect prompt initial reporting, even if all facts are not yet known
What If Notification Takes Longer Than 72 Hours?
If notification is made after 72 hours, the controller must:
- Provide reasons for the delay
- Explain what prevented timely notification
Delays without justification are considered non-compliance.
When Notification Is NOT Required
Not every breach must be reported.
Article 33 states that notification is not required if:
The personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
This introduces a risk-based assessment, not a harm-based one.
Factors to Consider in Risk Assessment
- Type of personal data involved
- Sensitivity of the data
- Volume of data
- Ease of identification of individuals
- Likelihood of misuse
- Potential consequences (financial, reputational, physical, emotional)
If the risk is negligible, notification may not be required—but the decision must be documented.
What Must Be Included in a Breach Notification?
Article 33 specifies four minimum elements:
1. Description of the Breach
This includes:
- Nature of the breach
- Categories of personal data affected
- Approximate number of data subjects
- Approximate number of records concerned
Exact numbers are not required if unavailable, but reasonable estimates should be provided.
2. Contact Details
The controller must provide:
- Contact information for the data protection officer (if applicable)
- Or another contact point for further information
3. Likely Consequences
A description of:
- Potential risks to individuals
- Possible harm scenarios
This demonstrates that the controller has performed a proper risk analysis.
4. Measures Taken or Proposed
This includes:
- Steps already taken to address the breach
- Measures to mitigate adverse effects
- Future prevention actions if relevant
Can Notification Be Phased?
Yes.
Article 33 allows notification to be made in phases:
- Initial notification within 72 hours
- Follow-up reports as more information becomes available
This is particularly important for complex incidents such as cyberattacks or ransomware cases.
Documentation Obligations Under Article 33
Even when notification is not required, controllers must:
- Document all personal data breaches
- Record facts, effects, and remedial actions
This documentation must be sufficient to:
- Demonstrate compliance
- Allow supervisory authorities to verify decision-making
Failure to document breaches is itself a GDPR violation.
Relationship Between Article 33 and Article 34
While Article 33 focuses on notifying authorities, Article 34 deals with notifying data subjects.
Key difference:
- Article 33 → Supervisory authority
- Article 34 → Affected individuals
A breach may require:
- Notification under Article 33 only
- Notification under both Article 33 and Article 34
- No notification at all (but documentation still required)
Penalties for Non-Compliance
Failure to comply with Article 33 can lead to:
- Administrative fines
- Regulatory investigations
- Reputational damage
- Increased scrutiny in future audits
Article 33 violations fall under GDPR’s higher-tier penalty framework, depending on circumstances.
Example 1: Misaddressed Payroll Email
A company accidentally emails a payroll file containing names, salaries, and bank account numbers to the wrong external recipient.
Assessment
- Personal data involved: financial data
- Unauthorized disclosure
- Clear risk of financial harm
Action
- Notify supervisory authority within 72 hours
- Document breach details
- Notify affected employees under Article 34
Article 33 Compliance
✔ Notification required
✔ Risk present
✔ Full reporting justified
Example 2: Lost Encrypted Laptop
An employee loses a company laptop containing personal data, but the disk is fully encrypted and protected by strong authentication.
Assessment
- Personal data involved
- Loss of device
- Data unreadable without encryption keys
Action
- Conduct risk assessment
- Determine low likelihood of misuse
- Document decision not to notify
Article 33 Compliance
✘ Notification not required
✔ Documentation required
Encryption significantly reduces risk.
Example 3: Ransomware Attack on Customer Database
A ransomware attack encrypts a customer database containing names, emails, and purchase history. No evidence of data exfiltration yet.
Assessment
- Availability breach
- Potential confidentiality risk
- Uncertainty about data access
Action
- Notify authority within 72 hours
- Submit initial notification
- Provide updates as investigation continues
Article 33 Compliance
✔ Notification required
✔ Phased reporting appropriate
Uncertainty itself increases risk.
Example 4: Internal HR File Deleted Accidentally
An HR employee accidentally deletes a file containing employee performance reviews. Backups restore the file within two hours.
Assessment
- Temporary availability breach
- Short duration
- No lasting impact
- No data exposure
Action
- Document incident internally
- No notification to authority
Article 33 Compliance
✘ Notification not required
✔ Documentation required
Minimal risk and swift recovery matter.
Example 5: Third-Party Processor Breach
A marketing processor experiences a breach exposing email addresses and marketing preferences of customers.
Assessment
- Processor informs controller promptly
- Personal data disclosed
- Risk of spam and profiling
Action
- Controller assesses risk
- Notifies authority within 72 hours
- Updates internal breach register
Article 33 Compliance
✔ Controller responsible
✔ Processor duty fulfilled
Responsibility remains with the controller.
Common Misunderstandings About Article 33
“Only big breaches must be reported”
False. Size matters less than risk.
“If data wasn’t misused, we don’t report”
Incorrect. Likelihood of risk, not proof of misuse, is the standard.
“The 72 hours start after investigation”
False. The clock starts when awareness occurs.
“Processors notify authorities directly”
Incorrect. Only controllers notify authorities.
Best Practices for Article 33 Compliance
- Maintain a breach response plan
- Define internal escalation paths
- Train employees on breach recognition
- Keep a breach register
- Involve legal and DPO early
- Practice breach simulations
Preparedness is the difference between compliance and chaos.
Conclusion
GDPR Article 33 is not about punishment—it is about responsibility, transparency, and risk management. Organizations that understand Article 33 treat breach notification as a structured process, not a panic-driven reaction.
By applying a consistent risk-based approach, documenting decisions carefully, and acting swiftly when required, controllers can meet their obligations while protecting both individuals and their own organizations.