How should the 72-hour period for reporting a personal data breach be calculated?

ANSWER

Article 33(1) GDPR imposes on the controller an obligation to report a personal data breach. This obligation must be fulfilled without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.

According to the opinion of the Article 29 Working Party (whose functions were subsequently taken over by the European Data Protection Board (EDPB)), a controller should be considered to have become aware of a breach at the moment when it has obtained a sufficient degree of certainty that a security incident has occurred and that it has led to the compromise of personal data:

"After first being informed of a potential personal data breach by an individual, an organisation, a media source or another source, or when it has itself detected a security incident, the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation, the controller cannot be regarded as having 'become aware'. However, it is expected that this initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has occurred; a more detailed investigation may then follow." (WP250 rev.01 Guidelines, p. 12)

In the situation described, the 72-hour period should be calculated from the moment when the DPO became aware of the incident and determined that the incident constituted a personal data breach.