Notify a Personal Data Breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A controller shall notify a personal data breach to this Office within 72 hours from becoming aware of such breach.

The notification shall not be required in those specific cases where the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of data subjects.

To facilitate the process, controllers should follow this link​, complete and submit the online notification form.

The reference number indicated in the acknowledgment email that will be received following the submission of the online form, should be cited for the purpose of any further communication with this Office on a notified data breach.

For more general information on this requirement, controllers may access the Guidelines on Personal Data Breach Notification​ adopted by the WP29 on 6 February 2018.

Skip to content