§ GDPR · Article 33

GDPR Article 33: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 33 · All obligations · GDPR
At a glance
Article 33 of the GDPR imposes 8 obligations on controller, processor. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 33

Obligation 1
The controller shall notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to rights and freedoms. Regulation (EU) 2016/679, Article 33, Article 33
Obligated entity
controller
Action required
notify
Deadline
72 hours after having become aware of it
Penalty
Exemptions
unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
Obligation 2
If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Regulation (EU) 2016/679, Article 33, Article 33
Obligated entity
controller
Action required
document
Deadline
Penalty
Obligation 3
The processor shall notify the controller without undue delay after becoming aware of a personal data breach. Regulation (EU) 2016/679, Article 33, Article 33
Obligated entity
processor
Action required
notify
Deadline
without undue delay after becoming aware
Penalty
Obligation 4
The notification to the supervisory authority shall describe the nature of the personal data breach, including categories and approximate numbers of data subjects and records concerned. Regulation (EU) 2016/679, Article 33, Article 33
Obligated entity
controller
Action required
describe
Deadline
Penalty
Obligation 5
The notification to the supervisory authority shall communicate the name and contact details of the data protection officer or other contact point. Regulation (EU) 2016/679, Article 33, Article 33
Obligated entity
controller
Action required
communicate
Deadline
Penalty
Obligation 6
The notification to the supervisory authority shall describe the likely consequences of the personal data breach. Regulation (EU) 2016/679, Article 33, Article 33
Obligated entity
controller
Action required
describe
Deadline
Penalty
Obligation 7
The notification to the supervisory authority shall describe the measures taken or proposed to be taken by the controller to address the breach, including mitigation measures. Regulation (EU) 2016/679, Article 33, Article 33
Obligated entity
controller
Action required
describe
Deadline
Penalty
Obligation 8
The controller shall document any personal data breaches, comprising the facts, effects, and remedial action taken, enabling the supervisory authority to verify compliance. Regulation (EU) 2016/679, Article 33, Article 33
Obligated entity
controller
Action required
document
Deadline
Penalty
§ Frequently asked

Questions about Article 33

Who must comply with Article 33 of the GDPR? +
controller, processor.
What does Article 33 of the GDPR require? +
notify document describe
What is the compliance deadline for GDPR Article 33? +
72 hours after having become aware of it; without undue delay after becoming aware
Need a cross-border briefing on GDPR Article 33?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles