GDPR Article 33 — Notification of a personal data breach to the supervisory authority
Enforced by: ICO (UK) / National DPAs
Current as of May 25, 2018
Plain Language Summary
72-hour breach notification to the supervisory authority. Clock starts when you BECOME AWARE. Report what you know and follow up with details.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The notification shall describe the nature of the breach including categories and approximate number of data subjects concerned; communicate the name and contact details of the data protection officer; describe the likely consequences of the breach; describe the measures taken or proposed to address the breach.