Article 33 GDPR
Reporting a personal data breach to a supervisory authority

1. In the event of a personal data breach, the controller shall notify the supervisory authority competent in accordance with Article 55 without undue delay—where feasible, no later than 72 hours after becoming aware of the breach—unless the breach is unlikely to result in a risk to the rights or freedoms of natural persons. A notification submitted to the supervisory authority after 72 hours shall be accompanied by an explanation of the reasons for the delay.

2. The processor, upon discovering a personal data protection violation, shall report it to the controller without undue delay.

3. The notification referred to in paragraph 1 must, at a minimum:

(a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data entries affected by the breach;

(b) include the name and contact details of the data protection officer or an indication of another contact point from which further information can be obtained;

(c) describe the possible consequences of a personal data breach;

(d) describe the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimise its potential adverse effects.

4. If - and to the extent that - information cannot be provided at the same time, it may be provided successively without undue delay

5. The controller shall document any personal data breach, including the circumstances of the personal data breach, its consequences and the remedial action taken. This documentation must allow the supervisory authority to verify compliance with this article.