What is a data breach under GDPR?

A data breach (GDPR Art. 4(12)) is a security breach leading to destruction, loss, alteration, unauthorised access or disclosure of personal data. The definition is broad. Examples: a stolen or lost laptop with customer data, a hacked website with leaked data, an email with personal data sent to the wrong recipient, a paper file dumped in a public bin, an ex-employee still having CRM access, malware exfiltrating data, a misconfigured S3 bucket. Notification duty (Art. 33-34): as data controller you must notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware, unless the breach is unlikely to risk affected persons. On high risk you must also inform affected persons themselves — usually by letter or email. When NO notification? Only if data was encrypted with state-of-the-art encryption and the key wasn't compromised, OR if you intervened immediately reducing risk to negligible. Documentation: every breach — reported or not — must be logged in an internal data breach register. The AP can request this. Fines? Failure to notify within 72 hours can fine up to €10 million or 2% global turnover (Art. 83). Failure to secure data typically yields larger fines (Art. 32). What if YOU are the victim? The company must inform you if your data leaked and risk is high. If they don't? Complain to the AP. Damage suffered? Damages claim under Art. 82.