When the personal data breach shall be notified to the President of the PDPO?
Pursuant to Article 33(1) GDPR in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
According to the foregoing Article 33(1) GDPR the controller shall notify a breach to the competent supervisory authority without undue delay. The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject.
Furthermore, the GDPR requires that, in the case of a breach, the controller shall notify the breach not later than 72 hours after having become aware of it. WP29 considers that controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised.
The time limit specified in Article 33(1) GDPR should not be exceeded by the controllers, however GDPR provides some circumstances in which the breach may be notified later than 72 hours after having become aware of it. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
(more information in: „Is notifying of the personal data breach later than 72 hours after having become aware of it permitted?”)
