ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Incidents and Fines

How much time does a processor have to notify the controller of a personal data breach?

ANSWER

The processor is obliged to notify the controller of a personal data breach without undue delay after becoming aware of the breach — Article 33(2) GDPR. The GDPR does not provide for any maximum (indicative) deadline for the processor, nor any sanctions for failing to meet such a deadline. However, it should be noted that a breach of Article 33 GDPR — including by a processor — constitutes grounds for imposing an administrative fine on the controller under Article 83(4)(a) GDPR. Therefore, the controller should specify in the data processing agreement the time within which the processor must notify the controller of a breach, while complying with the "without undue delay" requirement set out in Article 33(2).

Show all
PreviousNext

Read also:

12 March 2026

Kiedy nie zgłaszać naruszenia do UODO? Praktyczna analiza art. 33 RODO

06 March 2026

Za co Prezes UODO nakłada kary – podsumowanie wyników raportu

15 October 2025

Jakie kary za marketing telefoniczny bez zgody? Przykłady decyzji i kwoty

Szkolenia

Praktyczny kurs IOD (32h) online

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Processor breach notification deadlines to the controller | ODO 24 | ODO 24