What is a data breach — and when must you be told?

A data breach is any unauthorised access, loss or disclosure of personal data. Organisations must report serious breaches to the regulator within 72 hours — and warn you directly when the risk to you is high.

A data breach (GDPR Art. 4(12)) is a security incident leading to destruction, loss, alteration, unauthorised access to or disclosure of personal data. It is much broader than “being hacked”: a stolen laptop, an email to the wrong recipient, a paper file in a public bin, an ex-employee with live CRM access, or a misconfigured cloud bucket all qualify. The 72-hour rule (Art. 33): the organisation must notify its data protection authority within 72 hours of becoming aware, unless the breach is unlikely to pose a risk to the people affected. When must YOU be told? (Art. 34): when the breach likely poses a high risk to you — think leaked passwords, ID documents, financial or health data — the organisation must inform you directly and without undue delay, in plain language, with what happened and what to do. Exceptions: the data was strongly encrypted and the key is safe, or measures already taken have removed the high risk. Every breach must be logged internally, reported or not — regulators can demand the register. Sanctions: up to €10 million or 2% of global turnover for notification failures; poor security itself usually draws the bigger fines. If your data was in a breach, follow our step-by-step My data was leaked — what now?

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority