Data Breach Notification (Articles 33-34)

Data Breach Notification (Articles 33-34) – Complete Guide for CIPP/E Exam

Why Data Breach Notification Matters

Data breach notification is one of the most operationally significant obligations under the GDPR. Articles 33 and 34 establish a structured framework that ensures supervisory authorities and affected individuals are informed when personal data is compromised. This matters because:

- It enables supervisory authorities to assess risks and take corrective action promptly.
- It empowers individuals to take protective steps (e.g., changing passwords, monitoring accounts) when their data is at risk.
- It holds controllers accountable and incentivizes robust data security practices.
- It promotes transparency and trust between organisations and the public.
- Failure to comply with notification obligations can lead to significant administrative fines — up to €10 million or 2% of annual worldwide turnover, whichever is higher.

What Is a Personal Data Breach?

Article 4(12) of the GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Data breaches fall into three broad categories:
- Confidentiality breach: Unauthorised or accidental disclosure of, or access to, personal data (e.g., sending personal data to the wrong recipient).
- Integrity breach: Unauthorised or accidental alteration of personal data (e.g., data corruption).
- Availability breach: Accidental or unauthorised loss of access to, or destruction of, personal data (e.g., ransomware attack, accidental deletion).

A breach can involve one or more of these categories simultaneously.

Article 33: Notification to the Supervisory Authority

Key Requirements:

1. Who must notify? The controller is responsible for notifying the supervisory authority. The processor must notify the controller without undue delay after becoming aware of a breach.

2. When must notification occur? Without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. If notification is made after 72 hours, the controller must provide reasons for the delay.

3. Exception: Notification is not required if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This means every breach must be assessed for risk. If there is any risk (not just high risk), notification to the supervisory authority is required.

4. Content of notification (Article 33(3)): The notification must include at minimum:
- The nature of the breach, including (where possible) the categories and approximate number of data subjects concerned and categories and approximate number of personal data records concerned.
- The name and contact details of the Data Protection Officer (DPO) or other contact point.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

5. Phased notification: If it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay (Article 33(4)).

6. Documentation obligation (Article 33(5)): The controller must document all personal data breaches, including the facts relating to the breach, its effects, and the remedial action taken. This documentation must enable the supervisory authority to verify compliance. This applies to all breaches — even those that do not meet the threshold for notification.

Article 34: Communication to the Data Subject

Key Requirements:

1. Trigger: When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the data subject without undue delay.

2. Threshold distinction: This is critical for exam purposes. Notification to the supervisory authority (Article 33) requires any level of risk. Communication to the data subject (Article 34) requires a higher threshold — high risk.

3. Content: The communication must describe in clear and plain language the nature of the breach and contain at least:
- The name and contact details of the DPO or other contact point.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects.

4. Exceptions — when communication to the data subject is NOT required (Article 34(3)):
- (a) The controller has implemented appropriate technical and organisational protection measures to the data affected by the breach, in particular those that render the data unintelligible (e.g., encryption).
- (b) The controller has taken subsequent measures that ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
- (c) It would involve disproportionate effort, in which case there must be a public communication or similar measure whereby data subjects are informed in an equally effective manner.

5. Supervisory authority power: If the controller has not already communicated to the data subject, the supervisory authority may, having considered the likelihood of the breach resulting in a high risk, require the controller to do so (Article 34(4)).

How the Notification Process Works in Practice

Step 1: Detection and awareness. The 72-hour clock starts when the controller becomes aware of the breach. A controller is considered aware when it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. A processor becoming aware triggers an obligation on the processor to notify the controller without undue delay.

Step 2: Risk assessment. The controller must assess the risk to individuals' rights and freedoms. Factors include: the type of breach, the nature/sensitivity/volume of personal data, ease of identification of individuals, severity of consequences for individuals, special characteristics of the data subject (e.g., children), number of affected individuals, and special characteristics of the controller.

Step 3: Notify supervisory authority (if risk exists) within 72 hours. Phased reporting is permitted.

Step 4: Communicate to data subjects (if high risk exists) without undue delay, unless exceptions under Article 34(3) apply.

Step 5: Document everything. Maintain a breach register regardless of whether notification was required.

Key Distinctions to Remember

- Article 33 (SA notification): Risk to rights and freedoms → notify within 72 hours.
- Article 34 (Individual communication): High risk to rights and freedoms → communicate without undue delay.
- No risk: No notification to SA or data subjects, but must still document.
- Processor obligation: Notify the controller (not the supervisory authority) without undue delay.
- 72 hours: This applies only to SA notification. There is no specific hour-based deadline for communication to data subjects — it is "without undue delay."

Relevant Guidance

The Article 29 Working Party (now EDPB) published Guidelines on Personal Data Breach Notification (WP250 rev.01), which are essential reading. They provide detailed examples, flowcharts, and practical scenarios to help determine risk levels and notification obligations.

Exam Tips: Answering Questions on Data Breach Notification (Articles 33-34)

1. Know the thresholds: This is the most commonly tested concept. Remember: SA notification = risk; data subject communication = high risk. If the question describes a low-risk breach, notification to the SA is still required but communication to data subjects is not.

2. Remember the 72-hour rule and its nuances: The 72 hours starts from awareness, not from when the breach occurred. Phased notification is permitted. If notification exceeds 72 hours, reasons must be provided. The 72-hour rule applies to SA notification only.

3. Processor vs. Controller obligations: Processors must notify the controller — not the supervisory authority. If a question asks who the processor must notify, the answer is always the controller.

4. Watch for the three exceptions to data subject communication (Article 34(3)): Encryption is the classic example of technical measures rendering data unintelligible. Disproportionate effort triggers the public communication alternative. Subsequent measures eliminating high risk can also remove the obligation.

5. Documentation is always required: Even if a breach poses no risk and no notification is required, the controller must still document the breach in its internal breach register (Article 33(5)). Questions may test whether documentation is needed for "minor" breaches — the answer is yes.

6. Identify the type of breach in scenario questions: Exam scenarios may describe a confidentiality, integrity, or availability breach. Recognising the breach type helps you quickly assess the risk level and determine the correct notification pathway.

7. Read scenarios carefully for risk factors: If a scenario involves sensitive data (health, financial), large volumes, easily identifiable individuals, or vulnerable data subjects (children), the risk is likely high — triggering both Article 33 and Article 34 obligations.

8. Fines: Violations of Articles 33 and 34 fall under the lower tier of administrative fines: up to €10 million or 2% of annual worldwide turnover (Article 83(4)). Do not confuse this with the higher tier (€20 million / 4%).

9. Distinguish awareness from occurrence: If a question states a breach occurred on Monday but the controller became aware on Wednesday, the 72-hour clock starts on Wednesday.

10. Use process of elimination: When facing multiple-choice questions, eliminate answers that confuse the SA notification threshold with the data subject communication threshold, that suggest the processor must notify the SA directly, or that claim documentation is unnecessary for low-risk breaches.

11. Remember the role of the DPO: The DPO's contact details must be included in both the SA notification and the communication to data subjects. The DPO also plays an advisory role in assessing breaches and coordinating the response.

12. Cross-border breaches: In cases of cross-border processing, notification should be made to the lead supervisory authority. If unsure which SA is the lead, notify the SA where the breach occurred and clarify in the notification.