GDPR · art. 33-34 · supervisory authority

Data breach notification: what to do in 72 hours.

A personal data breach must be notified to the supervisory authority within 72 hours (GDPR art. 33). Law firms cover the obligation; almost no one covers the technical side: understanding what was really exfiltrated and collecting the evidence. That side is covered by Fortgale.

72hNotification to the authority
art. 33-34GDPR · data subjects
EUR 10MPenalty · or 2% turnover
Compliance
GDPR · art. 33-34
Supervisory authority
ISO/IEC 27001
Forensic standards
MITRE ATT&CK
NIST IR
chain of custody
Data breach ≠ NIS2 incident

Two distinct obligations, often simultaneous.

The same breach can trigger two different notifications, to different authorities, with different deadlines. Confusing them is a risk.

GDPR ·

Authority · personal data

Notification to the supervisory authority within 72 hours (art. 33), communication to data subjects if the risk is high (art. 34), breach register. Obligation of the data controller.

NIS2 ·

CSIRT · cyber incident

For essential and important entities: early warning 24 hours to the national CSIRT. See NIS2 explained.

Together ·

When both apply

A ransomware attack with personal data exfiltration typically triggers both CSIRT and the supervisory authority. They must be handled in parallel.

The side law firms do not cover

A notification is only as good as the evidence behind it.

The authority asks for the nature of the breach, the data and data subjects involved, the consequences and the measures taken. All of this comes from technical-forensic work, not legal work.

01 ·

Which data exfiltrated

Forensic analysis of logs, traffic and artefacts to distinguish what was copied out from what was only encrypted or accessed. The factual basis of the notification.

02 ·

Evidence for the notification

Collection and preservation of evidence, attack timeline, IOCs, perimeter involved: the material that makes the notification accurate and defensible.

Real case · determining what was exfiltrated

In Operation Storming Tide the Fortgale team reconstructed the multi-stage chain and blocked the RClone exfiltration: establishing what was actually taken out is exactly what an accurate notification needs.

Read the analysis →

Customers in 22 countries across 3 continents →

FAQ · data breach notification

The questions about the notification.

Difference between notifying the authority and the CSIRT?

Two distinct obligations: supervisory authority (GDPR art. 33, personal data, 72h) and national CSIRT (NIS2, cyber incident, early warning 24h). A ransomware case with personal data exfiltration can trigger both. See NIS2 explained.

Within what time must the breach be notified?

Within 72 hours of becoming aware (art. 33). If the risk to data subjects is high, they must also be informed (art. 34). Every breach must be recorded in the breach register.

What does Fortgale do and what the DPO or legal counsel?

Fortgale covers the technical-forensic side: what happened, which data exfiltrated, evidence, containment. The legal assessment and the act of notification remain with the controller and the DPO or legal counsel.

How do you determine what was exfiltrated?

With forensic analysis of logs, network traffic and artefacts: you reconstruct what the attacker actually copied out, distinguishing it from what was only encrypted. It is the basis of a defensible notification.

What penalties for failing to notify?

Up to EUR 10 million or 2% of global annual turnover. A timely notification backed by solid technical evidence is also a form of protection in the authority's assessment.

Do you have a data breach in progress?

The right notification comes from solid evidence.

Talk to our analysts: we determine what was exfiltrated, collect the evidence for the notification to the supervisory authority and contain the incident. The legal assessment stays with your DPO or legal counsel, we provide the technical foundation.

Response time: < 1 business day.