Law and standards
Data breach notification duty
When must a data breach be reported?
The data breach notification duty requires a personal data breach to be reported to the supervisory authority within 72 hours of the organisation becoming aware of it (Article 33 GDPR). Where a high risk is likely, the individuals affected must be informed as well (Article 34).
A personal data breach covers the destruction, loss or alteration of personal data, as well as unauthorised disclosure of or access to it. In everyday terms this includes a lost company laptop, a circular email exposing every recipient's address, a compromised mailbox, an attack with ransomware, meaning malicious software that encrypts customer records, and an invoice sent to the wrong person.
The 72 hour period starts when the business becomes aware of the breach, and it runs through weekends and public holidays. A later notification is possible where the delay is explained. Where the facts are still incomplete, information may be provided to the authority in stages. The Austrian data protection authority publishes forms for making the notification.
Notification may be omitted where the breach is unlikely to result in a risk to the rights and freedoms of the individuals concerned. That assessment has to be recorded. Article 33(5) requires the business to document every breach internally, together with its effects and the remedial action taken. Where a high risk is likely, for example because health or payment data has been exposed, the individuals themselves must be informed without undue delay.
A provider acting as a processor, meaning a provider that handles data on behalf of the business, reports a breach to the commissioning business without undue delay, and that business then notifies the authority. Every contract with an IT provider should therefore state how quickly and to whom an incident is reported.
Whether 72 hours proves sufficient is decided long before the incident. Two questions are central. Who inside the business decides on notification, and can it be established technically which data was affected. Without log data from servers, firewall and mail system, the scope of an incident remains unclear and the notification turns into guesswork. The IT-Check examines whether logging and backups are configured so that an incident can be reconstructed afterwards. Entities within the scope of NIS2 face separate reporting deadlines alongside the GDPR.
IT-Check: have logging and backups reviewed Security monitoring: detect incidents early
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.