Data breach handling and the representative’s role

Two deadlines that matter

When a personal data breach occurs, the GDPR imposes two separate notification duties. Knowing both — and acting fast — is what keeps a bad day from becoming an enforcement case.

• Authority notification (Article 33): within 72 hours of becoming aware, unless the breach is unlikely to result in a risk to individuals.
• Individual notification (Article 34): without undue delay when the breach is likely to result in a high risk to people’s rights and freedoms.

What to do, in order

1. Contain the breach and assess what data and how many people are affected
2. Decide whether it is likely to result in a risk (authority) and a high risk (individuals)
3. Notify the competent supervisory authority within 72 hours of awareness if required
4. Inform affected individuals without undue delay where the high-risk threshold is met
5. Record the breach, your assessment and the actions taken — even if you do not notify

Where the representative fits

The controller makes the breach notification, but your EU representative is the reachable EU contact point throughout. Authorities and affected individuals can address the representative, which matters when communications are time-critical and need to land somewhere inside the Union rather than an inbox on another continent.

On Premium, Usantis adds breach support — phone access and help drafting communications — and priority handling of authority follow-ups. The full role is covered in duties of the representative.