We welcome you to the CI platform.

Data protection notifications (Art. 33 and 34)

Man working with a computer, General Data Protection Regulation and European Union flag

Data protection notification to the supervisory authority

According to the GDPR, all personal data breaches must be reported to the competent supervisory authority without delay. This is called a data protection notification.

Examples of data protection risks:

  • An unencrypted mobile device (laptop, mobile phone, tablet, USB stick) has been lost / forgotten / stolen;
  • Hacker attack in which personal data was stolen;
  • Unintentional data leaks;
  • Personal data of the data subjects were sent to the wrong recipients;
  • Wage and salary data is visible to all employees due to a software error.

Deadline for a data protection notification

Deadline; data protection notification

The data protection breach must be reported to the supervisory authority without undue delay, if possible within 72 hours after the breach became known.

The obligation to notify lies with the controller of the processing. The following information must be included in the data protection notification:

Icon; Data protection message
  • Description of the nature of the breach. The categories and approximate number of data subjects, the categories concerned and the approximate number of personal data sets concerned must be indicated, as far as possible;
  • The name and contact details of the data protection officer for further information;
  • The likely consequences of the injury;
  • The measures taken or proposed to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects.

If the controller cannot meet the 72-hour deadline, he must justify why the supervisory authority was informed so late.  

Impact on those affected

Data protection and security breaches, if not responded to in a timely and appropriate manner, can have a major impact on the individuals concerned:

Impact; data protection notification

When is no notification necessary?

The controller does not have to make a data protection notification to the supervisory authority if the breach is not likely to result in a risk to the rights and freedoms of natural persons.

Whether or not the data breach has been reported, personal data breaches must be documented, including all related facts, their impact and the remedial action taken.

Notification to the parties concerned

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must notify the data subjects of the breach without undue delay.

The notification must be made in clear and simple language and include the following points:

Icon; Data protection message
  • Name and contact details of the data protection officer or other point of contact;
  • Description of the type of injury and the presumed consequences;
  • Directed recommendations to mitigate the negative impacts of this violation;
  • Measures taken / planned to rectify the data breach.
Exclamation mark; data protection message

Such notifications would also have to be made as soon as reasonably practicable, in close consultation with the supervisory authority and in accordance with the instructions of the supervisory authority or other competent authorities (such as law enforcement authorities). For example, to mitigate the risk of immediate harm, data subjects would need to be notified immediately. A longer notification period may be justified in order to take appropriate measures against ongoing or similar personal data breaches.

When is no notification necessary

Notification of the data subjects is not required if one of the following conditions is met:

  • The controller has taken sufficient technical and organisational measures to ensure that the risk to the rights and freedoms of the data subjects no longer exists (e.g. where sufficient encryption is in place for the lost data);
  • The controller has taken the following measures to ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to exist;
  • The notification involves a disproportionate effort. In that case, the controller must carry out a public notice or a similar measure by which the data subjects are informed in a comparably effective manner.

Summary: Message or no message?

Table; Data protection notification

In the event of security incidents and data breaches, we recommend that you contact your DPO who can assist you in resolving the incident.

DS supervisors:

Below you will find the links to the forms of the supervisory authorities to which you can report the data protection breach.

Supervisory authority:
















Mecklenburg-Western Pomerania



Lower Saxony


North Rhine-Westphalia














If you have not yet analysed your security level with our free application, register here!

Share post:

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email

These articles might also interest you

side view of focused businesswoman with tablet making calculations on calculator at workplace with

Right to information (Art. 15)

What is the right of access? The right of access is the right of the data subject to obtain confirmation as to whether the controller is processing data relating to him or her.

Read more

DoS attacks

Denial of Service attacks (or DoS attacks) are more malicious attacks that aim to flood a system, server or / and network with traffic in order to disable its

Read more
Girl summarizing online article

What is a processor (Art. 28)?

A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. Commissioned processing - examples:

Read more


The application will be made available soon.