What is the 72-hour data breach notification duty? (GDPR Art. 33-34)

GDPR Art. 33-34 sets out the data breach notification duty in two directions: to the supervisory authority (Art. 33) and to affected persons (Art. 34). When to notify the AP (Art. 33)? Within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to rights and freedoms of data subjects. The clock starts when there is reasonable certainty a breach has occurred — not the exact date the breach began. Notification content: nature of the breach, categories + numbers of affected persons, categories + numbers of records, DPO contact, likely consequences, and measures taken or proposed. When also to notify data subjects (Art. 34)? When high risk to rights and freedoms. E.g. leaked passwords, ID numbers, passport data, financial data, medical data, location data of vulnerable groups. Manner: direct + personal — usually email or letter. For large numbers a public announcement is allowed (e.g. press release) if individual communication is disproportionate. Three exceptions to subject notification: (1) data was encrypted with state-of-the-art encryption and the key wasn't compromised, (2) immediate measures neutralised the risk, or (3) individual notification would be disproportionate (then public announcement). Documentation duty: every breach — reported or not — must be logged in an internal data breach register. The AP can request this during audit. Fines: failure to notify within 72 hours can fine up to €10 million or 2% global turnover (Art. 83(4)). Failure to secure data typically yields larger fines (Art. 83(5), up to €20m / 4%). Examples of AP fines 2023-2025: Booking.com (€475k for late notification of customer data breach), Dutch tax authority (internal notification), TikTok (children's data, Irish DPC on behalf of NL). If YOU are the victim? Business must inform you if data + risk are both high. Didn't get notification despite suspecting the breach affected you? Request access (Art. 15) or complain to the AP.