GDPR Breach Notification Guide

Meet the 72-Hour GDPR Breach Deadline, Even Across 50+ Subsidiaries

Updated 2026-05-18
Key Takeaways: Priverion is a Swiss-hosted GRC platform that helps multi-entity organizations meet the GDPR 72-hour breach notification deadline with centralized incident workflows, automated escalation, and audit-ready documentation.

The clock starts when any entity in your group becomes aware, not when headquarters finds out. Get the step-by-step playbook that multi-entity privacy teams use to stay compliant under pressure.

No spam. Unsubscribe anytime. Your data is processed and hosted in Switzerland.

Swiss-hosted infrastructure ISO 27001 aligned Trusted by 150+ organizations FADP and GDPR compliant
Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Where Multi-Entity Organizations Fail

Why 72 Hours Is Not Enough for Most Multi-Entity Organizations

Knowing the GDPR data breach notification requirements is one thing. Executing them under pressure across subsidiaries, jurisdictions, and disconnected systems is where compliance actually breaks down.

Awareness Fragmentation

A breach occurs at a subsidiary. The local IT team investigates for 36 hours before escalating. By the time the group DPO is informed, the 72-hour window under Article 33 is nearly closed, or already gone. Without centralized incident intake across every entity, the clock runs out before it ever starts for HQ.

Result: Automated escalation workflows reduced breach awareness lag to under 4 hours for Trapeze Group across multiple entities.

Trapeze Group, 24/7 DPO support across multiple entities via Priverion

ROPA Disconnection

You cannot assess the impact of a breach if you don't have an accurate, up-to-date record of processing activities. If your ROPA was last updated 14 months ago, your breach impact assessment is built on sand. Article 33 notifications require you to describe the nature of the breach (categories and approximate numbers of affected data subjects and records). Stale ROPAs make that impossible under time pressure.

Result: AXA achieved 100% ROPA recertification rate with fully automated workflows , breach-ready documentation at all times.

AXA , 100% ROPA recertification rate via Priverion automated recertification

Documentation Gaps

Article 33(5) requires controllers to document ALL breaches , not just notifiable ones , including facts, effects, and remedial actions. Most multi-entity organizations track this across spreadsheets shared via email. No auditor accepts that as a defensible breach register. When a supervisory authority requests your breach log, you need audit-ready evidence packages , not a folder of inconsistently formatted Excel files.

Result: Aircraft manufacturer reduced compliance admin time by 60% in 6 months , their DPO now focuses on strategic privacy work instead of spreadsheet maintenance.

Aircraft manufacturer , 60% reduction in compliance admin time, first 6 months with Priverion

Jurisdiction Confusion

Which supervisory authority do you notify when a breach affects data subjects in 8 countries but the controller is established in a 9th? The GDPR's "one-stop-shop" mechanism has nuances that require pre-mapped decision trees built before an incident , not real-time Googling at 2 AM. Cross-border breach notifications demand pre-configured escalation paths per entity and jurisdiction.

Result: Zurzach Care achieved 100% vendor risk assessment coverage , pre-mapping third-party data flows across entities before incidents occur.

Zurzach Care , 100% vendor risk assessment coverage via Priverion

DPIA / TIA Blind Spots

High-risk processing that was never assessed via a Data Protection Impact Assessment means you have no pre-existing risk baseline to evaluate breach severity against. When Article 34 asks whether the breach is "likely to result in a high risk to the rights and freedoms of natural persons," you need a documented risk assessment to answer , not gut instinct. Missing DPIAs turn every breach into a worst-case-assumption exercise.

Result: Medtec saved 200+ hours in ISO 27001 preparation , including DPIA documentation that serves as breach-response baseline.

Medtec , 200+ hours saved in ISO 27001 preparation via Priverion

Processor Notification Failures

Processors must notify the controller "without undue delay" , there is no 72-hour safe harbor for processors. In multi-entity groups with shared services or intra-group processing agreements, a processor subsidiary may not realize it needs to notify the controller entity immediately. Without a unified vendor and intra-group processing map, this forgotten trigger becomes the compliance gap that supervisory authorities exploit first. When enforcement actions cite notification delays, this is overwhelmingly where the chain breaks.

Result: Cross-entity data mapping gives group-wide visibility into controller-processor relationships , so every entity knows exactly who to notify.

Priverion platform capability , cross-entity data mapping for group-wide visibility

Get Your Free Breach Playbook

A step-by-step guide for multi-entity organizations , free PDF, no spam.

200+

Hours saved on ROPA management

Medtec recovered 200+ hours previously spent on manual record-keeping , time redirected to ISO 27001 certification preparation.

60%

Lower cost vs. legacy platforms

Aircraft manufacturer achieved enterprise-grade compliance at a materially lower total cost than typical enterprise GRC contracts of comparable scope , no per-user fees, no per-module expansion traps.

3 mo

Ahead of schedule on ISO 27001

Medtec completed ISO 27001 audit preparation three months ahead of their original timeline using Priverion's integrated evidence packages.

What Privacy Leaders Say About Priverion

Based on customer interviews and survey responses, Q1 2025

"We went from 47 disconnected spreadsheets to a single platform across all subsidiaries. When our first real breach hit, we had the notification ready in 18 hours , including cross-border assessment. That would have been impossible before."

Thomas Keller, Group Data Protection Officer

Aircraft manufacturer , 11 entities across 4 jurisdictions

"The automated ROPA recertification alone justified the switch. But what really matters is that every entity now has breach-ready documentation at all times. Our DPAs with supervisory authorities have become genuinely straightforward."

Sandra Meier, Head of Privacy

AXA , 100% ROPA recertification rate across all entities

"We cut 200+ hours of manual compliance work in the first year. The ISO 27001 preparation that was supposed to take nine months was done in six . Priverion's evidence packages mapped directly to auditor requirements."

Dr. Marc Widmer, CTO and DPO

Medtec , 3 months ahead of schedule on ISO 27001

"Having 100% vendor risk assessment coverage means we know exactly where data flows before an incident occurs. When a processor had a breach last quarter, we had the controller notification ready within hours , not days."

Daniela Fischer, Compliance Manager

Zurzach Care , 100% vendor risk assessment coverage

ISO 27001 Aligned

Information security management

100% Swiss Hosted

Swiss data protection law applies

FADP Compliant

Swiss Federal Act on Data Protection

150+ Organizations

Across Europe and Switzerland

Priverion vs. OneTrust

Enterprise-grade without enterprise complexity

Mid-market companies don't need a platform built for Fortune 50 procurement cycles. They need one that solves group-wide privacy compliance without the bloat, the budget surprises, or the US data residency risk.

The OneTrust experience

US-headquartered data processing

Data processed in US infrastructure, subject to CLOUD Act and FISA 702. Post-Schrems II, this creates ongoing transfer risk for European organizations.

Per-module, per-user pricing

Costs escalate as you add subsidiaries, users, or modules. Budget predictability disappears when your group structure grows.

Built for the Fortune 500

Feature-rich to the point of overwhelming. Mid-market teams spend months in implementation and still only use a fraction of capabilities.

Fragmented module architecture

Need ROPA, DPIA, vendor management, and incident handling? That's four separate purchasing conversations and potentially four different UX patterns.

200+ shallow integrations

A long connector list looks impressive on paper but creates maintenance overhead. Most mid-market teams use fewer than 10.

The Priverion experience

Guaranteed Swiss data sovereignty

Swiss-built, Swiss-hosted, European data residency. All data processing stays within Swiss infrastructure , not a marketing checkbox, but a legal safeguard for cross-border transfers.

Predictable, transparent pricing

Priced by number of companies and organizational size , not per-user or per-module. No expansion traps when your third subsidiary goes live or your fifth business unit needs access.

Purpose-built for multi-entity groups

Operational in weeks, not months. Aircraft manufacturer went from 47 spreadsheets to fully automated recertification in their first 6 months , cutting 60% of compliance admin time.

Aircraft manufacturer , first 6 months of Priverion deployment

All-in-one privacy platform

ROPA, DPIA, vendor risk, incident management, DSR handling, data mapping, and AI-assisted compliance , one platform, one contract, one consistent experience across every entity.

Deep integrations where they matter

Meaningful connections with HR, procurement, and IT asset management systems , the workflows that actually feed privacy compliance. Not 200 shallow connectors that create maintenance overhead.

An honest note: We don't cover ESG, ethics hotlines, or cookie consent. If you need those, OneTrust may be the right fit. Our strength is group-wide privacy program management , and we do it exceptionally well.

Get Your Free Breach Playbook

Be ready before the next breach

Get the playbook that multi-entity privacy teams use to meet the 72-hour deadline

Built from real breach response workflows across organizations managing 5 to 50+ subsidiaries. Includes decision trees, escalation templates, and the documentation checklist supervisory authorities actually ask for.

6 templates

Ready-to-use breach response docs

72-hour timeline

With role assignments per entity

100% free

No commitment required

Get Your Free Breach Playbook

No spam. No sales pitch. Just a practical resource for privacy teams under pressure.

Free Resource

Download the Breach Response Playbook

A step-by-step guide built for multi-entity organizations that need to operationalize GDPR breach notification , not just understand it.

What's inside:

  • 72-hour timeline with role assignments for group DPOs and subsidiary leads
  • Decision tree: notify vs. document , when Article 33 applies and when it doesn't
  • Cross-border notification flowchart for multi-jurisdiction breaches
  • Processor-to-controller escalation template for intra-group incidents
  • Supervisory authority contact directory for EU/EEA and Switzerland
  • Post-breach documentation checklist aligned to Article 33(5)

No spam. Unsubscribe anytime. Your data is processed within Swiss infrastructure and protected under Swiss data protection law. We will never share your information with third parties.

Get Your Free Breach Playbook
About this page — references, definitions, and FAQs

Key Takeaways

GDPR Articles 33 and 34 impose strict breach notification obligations on data controllers: notify the supervisory authority within 72 hours and inform affected data subjects without undue delay when there is high risk. Multi-entity organizations face compounded challenges — fragmented awareness, stale ROPAs, jurisdiction confusion, and processor notification gaps. A centralized, Swiss-hosted GRC platform like Priverion helps unify incident intake, automate escalation, and maintain audit-ready breach registers across all subsidiaries.

Definitions

What is a personal data breach under the GDPR?

Personal data breach is defined in Article 4(12) GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." This definition covers confidentiality breaches, integrity breaches, and availability breaches. Source: GDPR Article 4(12)

What is the 72-hour notification obligation?

72-hour notification refers to the requirement under Article 33(1) GDPR that controllers notify the competent supervisory authority "not later than 72 hours after having become aware" of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where notification is not made within 72 hours, it must be accompanied by reasons for the delay. Source: GDPR Article 33

What is a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment is a process required under Article 35 GDPR for processing operations that are "likely to result in a high risk to the rights and freedoms of natural persons." DPIAs serve as a pre-existing risk baseline that is critical during breach severity evaluation under Article 34. Source: GDPR Article 35

What is a Record of Processing Activities (ROPA)?

A Record of Processing Activities is the documentation required under Article 30 GDPR that describes each processing activity, its purposes, categories of data subjects and personal data, recipients, transfers, and retention periods. An up-to-date ROPA is essential for accurate breach impact assessment. Source: GDPR Article 30

Statistics and Authoritative Sources

According to the EDPB Guidelines 9/2022 on personal data breach notification, the 72-hour clock begins at the moment the controller has a "reasonable degree of certainty" that a security incident has compromised personal data (EDPB Guidelines 9/2022). The EDPB emphasizes that awareness at any entity within a corporate group can trigger the clock for the entire group.

The ENISA Threat Landscape 2023 report found that ransomware and data breaches remain among the top threats to organizations in the EU, with the healthcare, public administration, and digital infrastructure sectors most frequently targeted (ENISA Threat Landscape 2023).

Under Article 83(4)(a) GDPR, infringements of breach notification obligations can result in administrative fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher (GDPR Article 83).

The IAPP-EY Privacy Governance Report 2023 found that the average organization employs 5.2 full-time privacy staff, yet multi-entity groups often lack centralized breach coordination — a gap that directly contributes to notification delays (IAPP-EY 2023 Report).

Frequently Asked Questions

What is the GDPR 72-hour breach notification requirement?

Under Article 33 GDPR, data controllers must notify the competent supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification must describe the nature of the breach, approximate number of affected data subjects, likely consequences, and measures taken or proposed. Source: GDPR Article 33

When must data subjects be notified of a GDPR breach?

Article 34 GDPR requires controllers to notify affected data subjects "without undue delay" when a breach is likely to result in a high risk to their rights and freedoms. Exceptions apply when the controller has implemented appropriate technical safeguards (e.g., encryption), has taken measures ensuring the high risk is no longer likely, or when individual notification would involve disproportionate effort. Source: GDPR Article 34

What are the penalties for failing to notify a GDPR data breach on time?

Failure to comply with breach notification obligations under Articles 33 and 34 can result in administrative fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher, under Article 83(4)(a) GDPR. Source: GDPR Article 83

Does the 72-hour deadline apply to data processors?

No. Under Article 33(2) GDPR, processors must notify the controller "without undue delay" after becoming aware of a breach. The 72-hour clock for supervisory authority notification starts when the controller becomes aware, not the processor. Source: GDPR Article 33(2)

What must be included in a breach notification to a supervisory authority?

Article 33(3) requires the notification to include: (a) the nature of the breach including categories and approximate number of data subjects and records; (b) the DPO's name and contact details; (c) the likely consequences; and (d) the measures taken or proposed to address the breach and mitigate its effects. Source: GDPR Article 33(3)

How does the one-stop-shop mechanism affect cross-border breach notifications?

Under Article 56 GDPR, the lead supervisory authority coordinates cross-border investigations. The EDPB Guidelines 9/2022 clarify that controllers must still notify the lead authority within 72 hours and that the lead authority shares information with concerned authorities. Multi-entity organizations should pre-map which authority is the lead for each controller entity. Source: EDPB Guidelines 9/2022

What is the difference between Article 33 and Article 34 GDPR?

Article 33 governs notification to the supervisory authority (within 72 hours, unless unlikely risk). Article 34 governs communication to affected data subjects (without undue delay, only when high risk). Article 33 applies to all breaches posing any risk; Article 34 has a higher threshold requiring "high risk to the rights and freedoms of natural persons." Article 33 | Article 34

Must organizations document breaches that are not notifiable?

Yes. Article 33(5) GDPR requires controllers to document all personal data breaches, regardless of whether they are notifiable, including the facts, effects, and remedial actions taken. This breach register must be available for supervisory authority inspection. Source: GDPR Article 33(5)

Comparison: GDPR vs. Swiss FADP Breach Notification

AspectGDPR (EU/EEA)Swiss FADP (nDSG)
Legal basisArticles 33 & 34 GDPRArticle 24 nDSG
Notification to authorityWithin 72 hours"As soon as possible" (no fixed deadline)
Threshold for authority notificationUnless unlikely to result in riskLikely to result in high risk
Notification to data subjectsWithout undue delay (high risk)When necessary for protection or required by FDPIC
Processor obligationNotify controller without undue delayNotify controller as soon as possible
Documentation requirementAll breaches (Article 33(5))Not explicitly required by statute
Maximum fine€10M or 2% global turnoverCHF 250,000 (individual liability)
Supervisory authorityLead SA under one-stop-shopFDPIC (Federal Data Protection Commissioner)

Sources: GDPR Article 33 | Swiss FADP (nDSG) on Fedlex

Your trusted partner for a smarter, more efficient approach to data privacy management.
Product
Priverion Platform System Status
about us
About Priverion Careers
© 2024 Priverion
Imprint Privacy Notice Terms of Service Refund Policy
OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].