Article 34 GDPR
Notifying the data subject of a personal data breach

1. If a violation of personal data protection may result in a high risk of infringement of the rights or freedoms of individuals, the controller shall notify the data subject of such violation without undue delay.

2. The notification referred to in paragraph 1 of this Article shall describe the nature of the personal data breach in clear and plain language and shall include at least the information and measures referred to in Article 33(3)(b), (c), and (d).

3. The notification referred to in paragraph 1 is not required, in the following cases:

(a) the administrator has implemented appropriate technical and organisational safeguards and those safeguards have been applied to the personal data affected by the infringement, in particular measures such as encryption, which prevent unauthorised persons from reading those personal data;

(b) the administrator has subsequently taken measures eliminating the likelihood of a high risk of infringement of the rights or freedoms of the data subject referred to in paragraph 1;

(c) it would require disproportionate effort, in which case a public notice is issued or a similar measure is used to inform data subjects in an equally effective manner.

4. If the controller has not yet notified the data subject of a personal data breach, the supervisory authority, taking into account the likelihood that the personal data breach will result in a high risk, may require the controller to do so or may determine that one of the conditions referred to in paragraph 3 has been met.