Data Breach Notification
The legal obligation to notify authorities and affected individuals when personal data is compromised.
Under GDPR Articles 33 and 34, data controllers must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach — unless the breach is unlikely to result in risk to individuals. High-risk breaches also require direct notification to affected individuals without undue delay.
A data breach includes unauthorized access, accidental loss, destruction, alteration, or disclosure of personal data. This covers ransomware attacks, phishing leading to account compromise, accidental email to the wrong recipient, and lost unencrypted devices.
US state laws like CCPA and dozens of state breach notification statutes impose similar obligations, often with shorter or variable timeframes. Your incident response plan and privacy policy should document your breach notification procedures.
Generate a GDPR Art. 33-34 policy in 60 seconds
Our AI drafts privacy policies, terms of service, and cookie policies that cover GDPR Art. 33-34 requirements — tailored to your business.