# Data breach notification duty

**When must a data breach be reported?**

The data breach notification duty requires a personal data breach to be reported to the supervisory authority within 72 hours of the organisation becoming aware of it (Article 33 GDPR). Where a high risk is likely, the individuals affected must be informed as well (Article 34).

A personal data breach covers the destruction, loss or alteration of personal data, as well as unauthorised disclosure of or access to it. In everyday terms this includes a lost company laptop, a circular email exposing every recipient's address, a compromised mailbox, an attack with ransomware, meaning malicious software that encrypts customer records, and an invoice sent to the wrong person.

The 72 hour period starts when the business becomes aware of the breach, and it runs through weekends and public holidays. A later notification is possible where the delay is explained. Where the facts are still incomplete, information may be provided to the authority in stages. The Austrian data protection authority publishes forms for making the notification.

Notification may be omitted where the breach is unlikely to result in a risk to the rights and freedoms of the individuals concerned. That assessment has to be recorded. Article 33(5) requires the business to document every breach internally, together with its effects and the remedial action taken. Where a high risk is likely, for example because health or payment data has been exposed, the individuals themselves must be informed without undue delay.

A provider acting as a processor, meaning a provider that handles data on behalf of the business, reports a breach to the commissioning business without undue delay, and that business then notifies the authority. Every contract with an IT provider should therefore state how quickly and to whom an incident is reported.

Whether 72 hours proves sufficient is decided long before the incident. Two questions are central. Who inside the business decides on notification, and can it be established technically which data was affected. Without log data from servers, firewall and mail system, the scope of an incident remains unclear and the notification turns into guesswork. The IT-Check examines whether logging and backups are configured so that an incident can be reconstructed afterwards. Entities within the scope of NIS2 face separate reporting deadlines alongside the GDPR.

## Related terms
- [GDPR](https://vetosec.at/en/it-security/dsgvo/)
- [Data breach](https://vetosec.at/en/it-security/datenleck/)
- [IT emergency plan](https://vetosec.at/en/it-security/notfallplan/)
- [Monitoring and logging](https://vetosec.at/en/it-security/monitoring-logging/)

## Source
https://vetosec.at/en/it-security/meldepflicht-datenpanne/ (vetosec, recht)
