When must I report a data breach?

You must report a data breach to the supervisory authority if it is likely to pose a risk to the rights and freedoms of data subjects. Think of: loss of customer data, unauthorised access to personnel files, or a phishing attack where login credentials were compromised.

What if I don't make the 72-hour deadline?

Report it anyway as soon as possible and explain why the notification was delayed. A late notification with explanation is always better than no notification.

Do I also need to inform the data subjects?

Only if the breach poses a high risk to their rights and freedoms. For example, leaked financial data, medical records, or login credentials. For encrypted data that was leaked, the risk is generally lower.

Where do I report a data breach?

To the supervisory authority in the country where your main establishment is located. In the UK, this is the ICO. In the EU, each country has its own authority.

Data Breach Notification Template - Free GDPR Template

A data breach must be reported to the supervisory authority within 72 hours. Use this template to report quickly and correctly, with all required information.

When must you report a data breach?

A data breach is any breach of security that leads to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data. Examples:

An employee sends a file with customer data to the wrong email address
Your laptop with unencrypted personnel files is stolen
A hacker gains access to your CRM system
A USB drive with customer data goes missing
A ransomware attack encrypts your database

Not every breach needs to be reported. You only report to the supervisory authority if the breach is likely to pose a risk to the rights of the data subjects. In doubt? Report it. An unnecessary notification has no consequences; a missed one does.

Step 1: Notification to the supervisory authority (within 72 hours)

Template: data breach notification to authority

DATA BREACH NOTIFICATION

Date of discovery: [date and time]
Date of incident (if different): [date and time, or "unknown"]

1. DESCRIPTION OF THE BREACH
[Describe what happened, e.g.: "On [date] it was discovered that an employee accidentally sent a spreadsheet with customer data (names, email addresses and phone numbers) to an external email address not belonging to the organisation."]

2. CATEGORIES OF DATA SUBJECTS AND ESTIMATED NUMBER
- Categories: [e.g. customers, employees, suppliers]
- Estimated number of data subjects: [number]
- Estimated number of personal data records: [number]

3. CATEGORIES OF PERSONAL DATA
[e.g. names, email addresses, phone numbers, addresses, financial data, national ID numbers]

4. LIKELY CONSEQUENCES
[Describe the possible consequences for data subjects, e.g.: "The data subjects are at risk of unwanted contact and possible phishing using their data."]

5. MEASURES TAKEN
[Describe what measures you have taken to address the breach and limit its consequences, e.g.:
- The recipient has been contacted with a request to delete the email and attachment
- Confirmation of deletion has been received
- Employees have been reminded of the protocol for sending personal data]

6. CONTACT DETAILS
Organisation name: [name]
Contact person: [name and position]
Phone: [number]
Email: [address]

[If applicable:]
Data Protection Officer (DPO): [name and contact details]

Step 2: Notification to data subjects (for high risk)

If the breach poses a high risk to data subjects, you must also inform them directly.

Template: notification to data subjects

Subject: Data breach notification - [organisation name]

Dear [name],

We are writing to inform you about a security incident involving your personal data.

What happened?
[Brief description, e.g.: "On [date] we discovered that unauthorised persons may have had access to our customer system containing your name, email address and order history."]

What data was involved?
[List of affected data, e.g.: name, email address, phone number]

What have we done?
[Describe measures taken, e.g.: "We immediately closed the security gap, reset all passwords, and reported the incident to the supervisory authority."]

What can you do?
- Change your password if you use the same password for other services
- Be alert to suspicious emails or phone calls that mention your personal data
- Contact us if you notice anything suspicious

We apologise for the inconvenience. We take the protection of your data seriously and have taken measures to prevent recurrence.

Questions? Contact [contact person] at [email] or [phone].

Kind regards,
[organisation name]

Step 3: Document in your breach register

Every data breach must be recorded in a breach register, even if you decide not to report it to the supervisory authority. The authority can request this register.

Document per incident:

Date of discovery and date of incident
Description of the breach
Categories and numbers of data subjects and data
Consequences and measures taken
Whether you reported it to the authority (and if not, why not)
Whether you informed data subjects (and if not, why not)

Where to report

Country	Authority	Method
Belgium	Data Protection Authority (GBA)	Online form at gegevensbeschermingsautoriteit.be
Netherlands	Data Protection Authority (AP)	Breach reporting desk at autoriteitpersoonsgegevens.nl
Germany	BfDI / State authority	Varies per state
France	CNIL	Online form at cnil.fr
UK	ICO	Online form at ico.org.uk

Common mistakes

Reporting too late because you want to investigate internally first - start the notification within 72 hours, you can supplement later
Not reporting because it was “just” an email - a misdirected email with personal data is a data breach
Not informing data subjects at high risk - this is a separate obligation alongside the authority notification
Not keeping a breach register - even breaches you don’t report must be documented

auto_awesome Automate your GDPR file?

GDPRWise scans your website, generates your processing register and privacy policy, and gives you a tailored action list. Including data breach procedures.

Start your free scan