Never Miss the 72-Hour GDPR Breach Window . Here's Exactly When the Clock Starts

The Complete Guide: GDPR 72-Hour Breach Notification Under Article 33

Article 33 of the GDPR requires controllers to notify supervisory authorities of personal data breaches "without undue delay and, where feasible, not later than 72 hours after having become aware of it." Those 23 words have generated more regulatory guidance, enforcement actions, and compliance anxiety than almost any other provision in the regulation.

The critical question is not "how fast do we need to notify?" . it is "when does the clock actually start?"

What "Awareness" Means Under Article 33

The 72-hour window does not begin when the breach occurs. It begins when the controller "becomes aware" of the breach. The European Data Protection Board (EDPB) has clarified this in its Guidelines 9/2022 on personal data breach notification:

This means the clock does not start the moment someone in your organization suspects something might be wrong. It starts when you have a "reasonable degree of certainty" that personal data has been compromised. However , and this is where organizations get into trouble , you cannot delay awareness by choosing not to investigate.

The "Should Have Known" Standard

Regulators have consistently held that organizations cannot plead ignorance if they failed to implement reasonable detection measures. If a breach was detectable through standard monitoring and your organization missed it because monitoring was inadequate, regulators will treat the moment the breach should have been detected as the moment of awareness.

This principle was tested in several notable enforcement actions:

• The Dutch DPA fined Booking.com for late notification, finding that awareness occurred when individual hotels reported unauthorized access , not when Booking.com's central team completed its internal investigation weeks later.
• The UK ICO found that Marriott's awareness was delayed because the company inherited Starwood's compromised systems and failed to conduct adequate due diligence, effectively inheriting the breach awareness timeline.
• The Spanish AEPD has consistently held that a controller's awareness begins when any employee with authority to act on the information receives it , not when the DPO is formally notified.

When Does the Clock Start for Processors?

Article 33(2) places a separate obligation on processors: they must notify the controller "without undue delay after becoming aware of a personal data breach." No 72-hour deadline is specified for processors, but "without undue delay" has been interpreted narrowly.

For controllers, this creates a cascading timeline. If your processor becomes aware on Monday and notifies you on Wednesday, your 72-hour clock starts on Wednesday , but if the processor's delay was unreasonable, the supervisory authority may still scrutinize the overall timeline.

What Counts as "Without Undue Delay"?

The 72 hours is a maximum, not a target. The GDPR says "without undue delay and, where feasible, not later than 72 hours." This means:

• If you can notify in 24 hours, you should. Waiting until hour 71 when you had sufficient information at hour 12 is itself a compliance failure.
• If you genuinely cannot complete your assessment within 72 hours, you can submit a phased notification , but you must provide reasons for the delay and submit initial information within the 72-hour window.
• Weekends and holidays do not pause the clock. If awareness occurs at 11 PM on a Friday, you have until 11 PM on Monday.

What Information Must the Notification Contain?

Article 33(3) specifies minimum content for breach notifications:

• The nature of the personal data breach, including categories and approximate number of data subjects and records
• The name and contact details of the DPO or other contact point
• A description of likely consequences of the breach
• A description of measures taken or proposed to address the breach, including mitigation

For multi-entity organizations, this creates a coordination challenge. If the breach affects data subjects across multiple subsidiaries in different jurisdictions, you may need to file with multiple supervisory authorities , unless you have a lead authority under the one-stop-shop mechanism.

The Multi-Entity Coordination Problem

The 72-hour clock is challenging enough for a single organization. For enterprise groups managing compliance across 10, 20, or 50+ entities, it becomes exponentially harder:

• Which entity is the controller , the subsidiary where the breach occurred, or the parent company?
• If multiple entities share a data processing system, does awareness at one entity constitute awareness for all?
• Who has authority to file the notification , the local DPO, the group DPO, or legal?
• Which supervisory authority receives the notification when affected data subjects span multiple member states?

These questions cannot be answered during a breach. They must be resolved in advance, documented in your incident response plan, and tested through regular tabletop exercises.

When Notification Is Not Required

Not every breach triggers the 72-hour clock. Article 33(1) includes an important qualifier: notification is required "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

This risk assessment is where many organizations struggle. The EDPB has provided examples:

• An encrypted laptop is stolen, and the encryption key was not compromised , likely no risk, likely no notification required
• A brief power outage causes temporary inability to access patient records , risk depends on context (emergency care vs. routine records)
• An email containing personal data is sent to the wrong recipient, who confirms deletion without reading , low risk, but still a breach that must be documented internally

Even when notification to the supervisory authority is not required, Article 33(5) requires you to document the breach, its effects, and the remedial action taken. This documentation must be available for supervisory authority review upon request.

Making the 72-Hour Window Manageable

The organizations that consistently meet the 72-hour deadline share common characteristics:

• They have a centralized incident intake system that captures breaches from any entity, any employee, any time zone , eliminating the organizational friction that delays awareness
• They use structured risk assessment frameworks (not ad hoc judgment calls) to determine notifiability within minutes of intake
• They maintain current, accurate ROPA records so that breach scope assessment does not require days of manual data gathering
• They have pre-configured notification templates for each relevant supervisory authority, reducing drafting time from hours to minutes
• They document every decision with timestamps, creating the audit trail that demonstrates compliance even when the timeline is tight

The 72-hour clock is demanding by design. It forces organizations to build the operational infrastructure that makes privacy management sustainable , not just compliant on paper, but resilient under pressure.