§ GDPR · Article 33
GDPR Article 33: Obligations, Deadlines & Penalties
At a glance
Article 33 of the GDPR imposes 8 obligations on controller, processor. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 33
Obligation 1
The controller shall notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to rights and freedoms.
Regulation (EU) 2016/679, Article 33, Article 33
- Obligated entity
-
controller
- Action required
-
notify
- Deadline
-
72 hours after having become aware of it
- Penalty
-
—
- Exemptions
- unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
Obligation 2
If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Regulation (EU) 2016/679, Article 33, Article 33
- Obligated entity
-
controller
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 3
The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
Regulation (EU) 2016/679, Article 33, Article 33
- Obligated entity
-
processor
- Action required
-
notify
- Deadline
-
without undue delay after becoming aware
- Penalty
-
—
Obligation 4
The notification to the supervisory authority shall describe the nature of the personal data breach, including categories and approximate numbers of data subjects and records concerned.
Regulation (EU) 2016/679, Article 33, Article 33
- Obligated entity
-
controller
- Action required
-
describe
- Deadline
-
—
- Penalty
-
—
Obligation 5
The notification to the supervisory authority shall communicate the name and contact details of the data protection officer or other contact point.
Regulation (EU) 2016/679, Article 33, Article 33
- Obligated entity
-
controller
- Action required
-
communicate
- Deadline
-
—
- Penalty
-
—
Obligation 6
The notification to the supervisory authority shall describe the likely consequences of the personal data breach.
Regulation (EU) 2016/679, Article 33, Article 33
- Obligated entity
-
controller
- Action required
-
describe
- Deadline
-
—
- Penalty
-
—
Obligation 7
The notification to the supervisory authority shall describe the measures taken or proposed to be taken by the controller to address the breach, including mitigation measures.
Regulation (EU) 2016/679, Article 33, Article 33
- Obligated entity
-
controller
- Action required
-
describe
- Deadline
-
—
- Penalty
-
—
Obligation 8
The controller shall document any personal data breaches, comprising the facts, effects, and remedial action taken, enabling the supervisory authority to verify compliance.
Regulation (EU) 2016/679, Article 33, Article 33
- Obligated entity
-
controller
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 33
Who must comply with Article 33 of the GDPR?
+
controller, processor.
What does Article 33 of the GDPR require?
+
notify document describe
What is the compliance deadline for GDPR Article 33?
+
72 hours after having become aware of it; without undue delay after becoming aware