GDPR Recitals

Recital 86Notification of Data Subjects in Case of Data Breaches

All 173 Recitals Regulation (EU) 2016/679

A recital is part of the preamble to the GDPR — it explains the reasoning and intent behind the enacting articles. Recitals are not binding in themselves but are used to interpret the Regulation.

The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. 2 The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. 3 Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities. 4 For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal data breaches may justify more time for communication.

* This title is an unofficial description.

Recital 85

Recital 87

All recitals

Report error

Source: Regulation (EU) 2016/679 (OJ L 119, 4.5.2016, p. 1), preamble. Official text reproduced from EUR-Lex — © European Union.

Looking for the binding rules? Browse the 99 GDPR articles — the recitals explain the intent behind them.

Need to apply the GDPR in practice?

Our data-protection lawyers turn the text into a plan.

Talk to a lawyer