Home · Synthesis · cl-gdpr-breach-notification

GDPR Article 33 / 34 breach notification + multi-jurisdiction coordination

DPDPAEU AI ActGDPRCERT-InNIS2

Primary statement

GDPR Art 33 supervisory authority notification within 72 hours + Art 34 communication to data subjects without undue delay when likely to result in high risk to rights and freedoms. DPDPA Section 8 + Rule 7 two-stage notification (initial without undue delay + detailed within 72 hours). EU AI Act incident notification + CERT-In 6h + NIS2. Multi-regulator coordination required.

Audit-fatigue payoff

A unified breach notification playbook — supervisory authority + data subjects + multi-regulator coordination — satisfies breach notification requirements across all 5 contributing frameworks.

Strictness matrix

Scope
Scope: any personal data breach. Risk-based threshold for data subject notification (Art 34). Ceiling source: gdpr:Art.33 Rationale: GDPR Art 33 broadest scope.
Threshold
Threshold: notification within 72 HOURS of becoming aware. Documented justification required for any delay beyond 72 hours. Ceiling source: gdpr:Art.33 Rationale: GDPR Art 33 72-hour binary threshold is canonical.
Method
Method: awareness-to-notification time tracking + supervisory authority notification template + data subject communication template (Art 34) + DPDPA two-stage flow + CERT-In parallel + EU AI Act parallel + multi-regulator coordination matrix. Ceiling source: gdpr:Art.33 Rationale: GDPR Art 33 + DPDPA Rule 7 combined form most prescriptive method.
Frequency
Event-driven within 72 hours. Procedure review: annual + post-incident. Tabletop exercises: annual. Ceiling source: gdpr:Art.33 Rationale: Per-event with 72-hour SLA is operational floor.
Evidence
Evidence: breach response procedure + supervisory authority contact list + notification templates + sample breach submissions + tabletop records. Ceiling source: gdpr:Art.33 Rationale: GDPR Art 33 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect breach response procedure. Step 2: Verify supervisory authority contact list. Step 3: Sample one breach (or tabletop); verify 72-hour timeline. Step 4: Verify multi-regulator coordination matrix.

Common findings

Common findings: (1) 72-hour clock from public disclosure not internal awareness; (2) DPDPA two-stage flow not pre-staged; (3) Multi-regulator coordination absent; (4) Tabletop exercises generic.