When do you need to report data breaches? And what should be included in your documentation?
What exactly is a data breach?
The law refers to it, somewhat awkwardly, as a “personal data breach” (Art. 4 No. 12 GDPR). This includes, for example, situations where personal data is accidentally or unlawfully
- disclosed to unauthorized persons,
- is destroyed or
- lost, or
- it is altered without authorization.
Typical examples from everyday life: a lost company cell phone, an email sent to the wrong address, a ransomware attack, or a job application that ends up in the wrong trash bin.
Do we have to report every incident to the relevant supervisory authority?
First, the good news: No.
Article 33 of the GDPR states that a report to the supervisory authority is only required if the incident “is likely to result in a risk to the rights and freedoms” of the data subjects. If the incident is not likely to pose a risk, you may choose not to report it – but you must be able to justify this assessment. This means you must investigate the incident, evaluate it, and always document the results.
The 72-hour deadline: What exactly does that mean?
If a report must be reported to the supervisory authority, the clock starts ticking: The report must be submitted “without undue delay and, where possible, within 72 hours” after you become aware of the incident. This deadline is tight – which is why it helps enormously to know in advance who needs to be notified internally and what information will be required. Incidentally, if not all the information is available yet, you may also submit the report in stages.
And what if the internal review shows that we don’t have to report it?
Even then, you must document the breach. Article 33(5) of the GDPR requires that you record all breaches internally – even those that you (justifiably) do not report. At a minimum, the following should be recorded:
- the facts of the matter (what happened, which data was involved, and how many data subjects were affected?),
- the impact or the assessed (lack of) risk,
- the corrective measures taken.
- This documentation serves as your proof to the supervisory authority that you assessed the incident and took appropriate action.
When do I also inform the data subjects?
If the breach is expected to pose a high risk to the data subjects, reporting it to the supervisory authority alone is not sufficient: In that case, you must also notify the data subjects (Art. 34 GDPR) – in clear, understandable language.
This is the second escalation level and occurs less frequently. However, it’s best to have given this matter some thought.
Where do I record and assess data breaches in foxondo?
In the “Forms & Checklists” module, you’ll find the section for recording data breaches. This allows you to work through the key questions in a structured manner for each incident, assess the risk at the end, and decide whether a report to the supervisory authority – and, if necessary, notification of the data subjects – is required.
You can also save the result internally as a PDF export. This ensures you fully comply with your documentation obligation under Article 33(5) of the GDPR as well as your accountability requirements.
➡️ Our tip: Create a contingency plan and don’t wait until an emergency actually occurs.
Take the time to determine in advance who will be notified in the event of an incident and who will keep track of the 72-hours. Because when an incident occurs, every hour counts – and a clear procedure takes a lot of pressure off.
You can record additional guidelines for handling data protection incidents in foxondo in the “Data Protection Organization” module.