Chapter 4 · Controller and Processor

Article 33Notification of a breach to the supervisory authority

All 99 Articles Chapter 4: Controller and Processor

A personal data breach likely to risk people's rights must be reported to the supervisory authority within 72 hours of becoming aware of it. All breaches must be documented internally.

Key points

  • 72-hour clock runs from awareness.
  • Document every breach, even those you decide not to report.
Read the official text on EUR-Lex

Related articles

34Communication of a breach to the data subject32Security of processing4Definitions
Practical guidance

These summaries are a plain-English orientation only and are not a substitute for the official text of the Regulation or for legal advice.

Need to apply Article 33?

Our data-protection lawyers turn the text into a plan.

Talk to a lawyer
Back to all articles