🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Article 33 of the GDPR: Notification of personal data breaches

Home GDPR articles decrypted Article 33 of the GDPR: Notification of personal data breaches

Article 33 of the GDPR requires data controllers to notify the competent supervisory authority of any personal data breach, within 72 hours, unless the violation is not likely to create a risk for the rights and freedoms of the persons concerned.

Article 33 of the GDPR explained

In the event of a violation (e.g. unauthorized access, loss, accidental disclosure...), the controller must:

  • Inform the CNIL (or other competent authority) within 72 hours after becoming aware of it;
  • Explain the nature of the breach, the data involved, the possible consequences and the measures taken or envisaged;
  • Maintain a record of all violations, whether notified or not.

The subcontractor, if concerned, must alert without delay the data controller.

Why is this article important for your GDPR compliance?

Data breaches can have serious consequences for data subjects: identity theft, invasion of privacy, fraud... Article 33 guarantees transparency and responsiveness organizations deal with these incidents, and helps build user trust.

How to comply with Article 33 of the GDPR?

  • Develop one data breach management procedure (detection, alert, processing, notification);
  • Train teams to identify and report incidents;
  • Document each incident in a specific log;
  • Be ready to notify the CNIL within 72 hours, with all the necessary information.

Examples of application of Article 33 of the GDPR

  • An error sending an email containing sensitive data to the wrong recipient: the CNIL is informed within 72 hours;
  • Computer theft containing unencrypted data triggers an incident notification procedure;
  • A security breach is detected on a client server: the subcontractor immediately alerts its principal.

Related Resources

Accelerate your compliance in just a few clicks

With our all-in-one solution, you can accelerate and ensure compliance easily:

  • Automate your compliance with our GDPR software
  • Supported or outsourced by our DPO experts
  • Raise awareness among your teams with our GDPR training e-learning

Request a demo with an expert

Assess your situation in 15 minutes with our free, no-obligation GDPR self-diagnosis.

GDPR: Self-assess now

Other articles
on the same subject