Stop Guessing When to Notify Data Subjects After a Breach: Get the Exact Framework
Get the step-by-step Article 34 decision framework, notification templates, and multi-entity coordination checklist that privacy teams at 50+ organizations use to handle breach notifications without the guesswork, panic, or regulatory exposure.
No spam. Instant access to the checklist and templates.
What privacy professionals say
Results From Privacy Teams Like Yours
60% less admin time
"We reduced compliance administration time by 60% within six months. Our DPO now spends time on risk assessments and strategic decisions instead of chasing documentation across spreadsheets."
Aviation manufacturing, multi-entity privacy program
200+ hours saved
"We saved over 200 hours on compliance documentation and finished ISO 27001 readiness three months ahead of schedule. The audit-ready evidence packages were available on demand, eliminating the scrambling before supervisory authority requests."
Healthcare technology, ISO 27001 certified
24/7 breach coordination
"We manage DPO support and breach response coordination across multiple entities from one unified platform. The jurisdictional blind spots we had with email-based processes are gone, and every notification decision is tracked per entity."
Technology, multi-entity privacy management
Based on customer-reported outcomes. Aircraft manufacturer and Medtec data from first 12 months post-implementation. Trapeze data from ongoing engagement.
The Complete Article 34 Breakdown: When, What, and How to Notify Data Subjects
Article 34 is one of the most misjudged provisions in the GDPR. Notify when you shouldn't, and you trigger unnecessary panic. Fail to notify when you should, and you face enforcement action. Here is the framework for getting it right.
Determine Whether the Breach Meets the "High Risk" Threshold
Article 34(1) is triggered only when a breach "is likely to result in a high risk to the rights and freedoms of natural persons." This is a higher bar than Article 33's notification to the supervisory authority, which applies to any breach that is not unlikely to result in risk.
Factors that typically push a breach into "high risk" territory:
- Special category data is involved (health, biometric, racial/ethnic origin, political opinions)
- Financial data that could enable fraud (bank accounts, credit card numbers)
- Large volume of affected individuals
- Data that could lead to identity theft, discrimination, or physical harm
- Vulnerable data subjects are affected (children, patients, employees)
- The data was not encrypted or pseudonymised at the time of the breach
The key question is not "how bad was the breach?" but "how likely is it that affected individuals will suffer real harm?" Your risk assessment must document the reasoning, as supervisory authorities will ask for it.
Check the Three Exceptions That Eliminate the Notification Obligation
Article 34(3) provides three exceptions. If any of these apply, you are not required to notify data subjects, but you must still document why the exception applies.
Exception (a): Appropriate protection measures were in place
You applied technical and organisational measures that render the personal data unintelligible to any person not authorised to access it. The most common example is encryption: if the breached data was encrypted with a strong algorithm and the key was not compromised, this exception likely applies.
Exception (b): Subsequent measures eliminate the risk
You took immediate action after the breach that ensures the high risk to data subjects is no longer likely to materialise. For example, you identified and contained the breach before any data was actually accessed, or you remotely wiped a lost device before it was unlocked.
Exception (c): Disproportionate effort
If individual notification would involve disproportionate effort (for example, you cannot identify or contact all affected individuals), you must instead make a public communication or take a similar measure that informs data subjects equally effectively. This is the exception most frequently misapplied; supervisory authorities interpret "disproportionate effort" narrowly.
Draft the Notification Content
Article 34(2) references Article 33(3)(b), (c), and (d). Your notification to data subjects must include four elements, communicated "in clear and plain language":
- The nature of the breach: Describe what happened in terms the recipient can understand. Avoid legal jargon and technical language. "An unauthorised third party accessed your account information" is better than "a security incident involving credential exposure occurred."
- DPO contact details: The name and contact details of your data protection officer or other contact point where they can obtain more information.
- Likely consequences: Be honest and specific. "This may mean your email address and password are available to unauthorised parties, which could be used to access other accounts if you use the same password" is more useful than "there may be a risk to your personal data."
- Mitigation measures: Describe what you have done and what you recommend they do: password resets, account monitoring, credit freezes, contact points for questions.
Choose the Right Communication Channel
The GDPR does not prescribe a specific channel, but the notification must actually reach affected individuals. Consider:
- Direct email: Most common for online breaches. Ensure you are sending to verified addresses and can evidence delivery.
- Postal mail: Appropriate for breaches involving offline data or when email addresses are not available.
- Dedicated incident page: Useful as a supplement but typically insufficient as the sole notification method.
- In-app notification: Can work for active users of a digital service but misses inactive accounts.
Document your channel selection rationale. If a supervisory authority asks why you chose email over post for a breach affecting elderly patients, you need a defensible answer.
Execute the Notification and Preserve the Audit Trail
Article 34 says "without undue delay." Unlike Article 33's 72-hour deadline, there is no fixed clock, but supervisory authorities expect action as soon as you have enough information to provide meaningful guidance.
What your audit trail must capture:
- Timestamp of the risk assessment decision
- Names and roles of people involved in the decision
- The rationale for or against notification (including exception analysis)
- Draft versions and final content of the notification
- Channel selection and delivery evidence
- Follow-up communications and data subject inquiries
This is where spreadsheet-based processes collapse. When a supervisory authority requests your breach file six months later, you need every decision, timestamp, and communication in one place, not scattered across email threads, shared drives, and individual notebooks.
Handle Multi-Entity Complexity
For organisations managing multiple subsidiaries across jurisdictions, Article 34 notification becomes exponentially more complex:
- Which entity is the data controller for the affected data subjects?
- Do different jurisdictions have additional local requirements beyond GDPR Article 34?
- Must notifications be sent in the local language of each affected jurisdiction?
- Who approves the notification content: the group DPO, the local DPO, or legal counsel in each jurisdiction?
- How do you prevent conflicting communications from different subsidiaries about the same incident?
This is the exact scenario Priverion was designed for. Cross-entity data mapping identifies which subsidiaries hold affected data, incident management coordinates the response across entities, and audit-ready evidence packages capture the complete decision trail, per entity, per jurisdiction.
The Tools That Turn Article 34 Obligations Into a Repeatable Process
Breach notification to data subjects fails when it depends on memory, spreadsheets, and ad hoc email chains. These capabilities replace guesswork with a structured, auditable workflow, especially when you are managing incidents across multiple entities.
Incident Management with Built-In Risk Scoring
When a breach is reported, the platform walks your team through a structured assessment, capturing breach type, data categories, volume of affected individuals, and vulnerability factors. AI-assisted risk scoring helps you determine whether the Article 34 "high risk" threshold is met, so your DPO makes an informed decision instead of a gut call under pressure.
Result: Aircraft manufacturer reduced compliance admin time by 60% in their first 6 months, freeing their DPO to focus on risk assessments and strategic decisions rather than chasing documentation.
Aircraft manufacturer, first 6 months post-implementation
Cross-Entity Breach Coordination
When a breach touches data subjects across multiple subsidiaries and jurisdictions, you need a single source of truth, not a chain of forwarded emails. Priverion gives group-wide visibility into every active incident, maps affected entities automatically through your cross-entity data mapping, and tracks notification decisions per jurisdiction so nothing slips through the cracks.
Result: Trapeze manages 24/7 DPO support and breach response coordination across multiple entities from a unified platform, eliminating the jurisdictional blind spots that manual processes create.
Trapeze, multi-entity privacy program management
Audit-Ready Evidence Packages
Article 34 compliance does not end when you hit send on the notification. Supervisory authorities expect documentation of your risk assessment, the rationale behind your notification decision, the content of the communication, and proof of delivery. Priverion generates complete evidence packages, with timestamped audit trails, in minutes, not the weeks of scrambling that spreadsheet-based processes demand.
Result: Medtec saved 200+ hours in compliance documentation preparation, with audit-ready evidence available on demand for supervisory authority requests.
Medtec, ISO 27001 preparation timeframe
An honest note: Priverion does not cover cookie consent banners, ethics hotlines, or ESG reporting. We go deep on privacy program management (incident response, ROPA, DPIAs, vendor risk, and DSRs) so your breach workflows actually work when it matters.
200+
Hours saved on compliance documentation
Medtec recovered 200+ hours during ISO 27001 preparation by replacing manual documentation with automated workflows, first 12 months
60%
Less compliance admin time
Based on Aircraft manufacturer's results, entity-based pricing with no per-user or per-module expansion fees
3 mo.
Ahead of schedule on ISO 27001 readiness
Medtec accelerated their ISO 27001 certification timeline by three months using Priverion's audit-ready evidence packages
Get the Article 34 Breach Notification Kit
Step-by-step checklist, risk assessment decision tree, two notification templates (direct and public communication), and multi-entity coordination workflow. Built for DPOs and compliance leads.
No spam. We will send you the templates and nothing else unless you opt in.
Why mid-market teams are leaving OneTrust for Priverion
OneTrust was serving a broad buyer profile including Fortune 500 organizations with larger dedicated GRC teams. You need enterprise-grade compliance without enterprise complexity or enterprise invoices.
The OneTrust experience
Modular pricing that compounds
Per-user, per-module billing means your costs grow unpredictably every time you add a subsidiary, a team member, or a new compliance need. Budget requests become quarterly negotiations.
US-hosted infrastructure
In a post-Schrems II landscape, storing your privacy compliance data with a US-based vendor creates the exact cross-border transfer risk you're trying to manage. The irony writes itself.
Built for the Fortune 500
200+ integrations, ESG modules, ethics hotlines: features that add complexity to your admin console but not to your privacy program. Your DPO doesn't need a platform that requires its own team to operate.
Months-long implementation
Enterprise deployments routinely stretch beyond six months with dedicated project teams, external consultants, and extended onboarding cycles before you see any compliance value.
Opaque AI processing
Unclear data processing for AI features raises questions about where your compliance data flows, a difficult conversation to have with your supervisory authority.
The Priverion experience
Predictable, all-inclusive pricing
Pricing based on number of companies and organizational size, not per-user or per-module. Add team members across all subsidiaries without watching your invoice grow. Your CFO will appreciate the predictability.
Guaranteed Swiss data sovereignty
Swiss-built, Swiss-hosted, all data processing within Swiss infrastructure. European data residency isn't a marketing checkbox; it's a legal requirement for cross-border data transfers that simplifies your DPIA for the tool itself.
Purpose-built for group-wide privacy
ROPA, DPIAs, vendor assessments, incident management, DSR handling, and cross-entity data mapping: everything a multi-entity privacy program needs, nothing it doesn't. We don't cover ESG, ethics hotlines, or cookie consent. That focus is deliberate.
Operational in weeks, not months
Aircraft manufacturer achieved a 60% reduction in compliance admin time within their first 6 months, including implementation. No dedicated project teams or external consultants required.
Aircraft manufacturer case study, first 6 months post-deployment
Transparent AI with human oversight
AI-assisted DPIA drafting, risk scoring, and regulatory mapping, all processed within Swiss infrastructure. Every AI output is reviewed by your team before becoming a compliance record. No customer data is used for model training. AI assists, humans decide.
Switching is simpler than you think. Most teams are fully migrated in under 8 weeks.
Book a 30-min walkthroughFrequently Asked Questions About Article 34 Breach Notification
When does Article 34 GDPR require notification to data subjects?
Article 34 requires notification when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. This is a higher threshold than Article 33 notification to the supervisory authority, which applies to all breaches except those unlikely to result in any risk. The key determination is whether affected individuals are likely to suffer real harm: identity theft, financial loss, discrimination, or reputational damage.
What must an Article 34 notification contain?
The notification must describe the nature of the breach in clear and plain language, provide the name and contact details of the DPO or other contact point, describe the likely consequences of the breach, and describe the measures taken or proposed to address the breach and mitigate its effects. Avoid legal jargon; supervisory authorities have fined organisations for notifications that were technically compliant but incomprehensible to the average person.
When is Article 34 notification NOT required?
Notification is not required when: (a) you applied appropriate technical and organisational protection measures to affected data, such as encryption where the key was not compromised; (b) you took subsequent measures ensuring the high risk is no longer likely to materialise; or (c) it would involve disproportionate effort, in which case a public communication or similar measure is required instead. All three exceptions must be documented in your breach file.
How quickly must data subjects be notified under Article 34?
Article 34 states notification must happen "without undue delay" but does not specify a fixed timeframe like Article 33's 72-hour rule. In practice, supervisory authorities expect communication as soon as the high-risk determination is made and you have enough information to provide meaningful guidance to affected individuals. Delays of weeks without justification have resulted in enforcement action.
What is the difference between Article 33 and Article 34 GDPR?
Article 33 governs notification to the supervisory authority (72-hour deadline, applies to most breaches). Article 34 governs notification to affected data subjects (no fixed deadline but "without undue delay"), and applies only when the breach is likely to result in high risk to individuals' rights and freedoms. Many organisations conflate the two, leading to either over-notification (creating unnecessary panic) or under-notification (creating regulatory exposure).
How do you manage Article 34 notifications across multiple subsidiaries?
Multi-entity breach notification requires a centralised incident management platform that maps affected entities, tracks notification decisions per jurisdiction, and maintains a single audit trail. Manual coordination via email chains across subsidiaries creates gaps that supervisory authorities will identify during investigations. Priverion's cross-entity data mapping and incident management workflow was designed specifically for this scenario.
The Privacy Compliance Briefing
Monthly insights on GDPR enforcement, Swiss FADP updates, and automation strategies for DPOs and compliance teams.
No spam. Unsubscribe anytime.
