Authority · personal data
Notification to the supervisory authority within 72 hours (art. 33), communication to data subjects if the risk is high (art. 34), breach register. Obligation of the data controller.
A personal data breach must be notified to the supervisory authority within 72 hours (GDPR art. 33). Law firms cover the obligation; almost no one covers the technical side: understanding what was really exfiltrated and collecting the evidence. That side is covered by Fortgale.
The same breach can trigger two different notifications, to different authorities, with different deadlines. Confusing them is a risk.
Notification to the supervisory authority within 72 hours (art. 33), communication to data subjects if the risk is high (art. 34), breach register. Obligation of the data controller.
For essential and important entities: early warning 24 hours to the national CSIRT. See NIS2 explained.
A ransomware attack with personal data exfiltration typically triggers both CSIRT and the supervisory authority. They must be handled in parallel.
The authority asks for the nature of the breach, the data and data subjects involved, the consequences and the measures taken. All of this comes from technical-forensic work, not legal work.
Forensic analysis of logs, traffic and artefacts to distinguish what was copied out from what was only encrypted or accessed. The factual basis of the notification.
Collection and preservation of evidence, attack timeline, IOCs, perimeter involved: the material that makes the notification accurate and defensible.
Eradication of the attackers, containment, safe restore. The forensic work in incident response feeds the notification and stops the damage.
In Operation Storming Tide the Fortgale team reconstructed the multi-stage chain and blocked the RClone exfiltration: establishing what was actually taken out is exactly what an accurate notification needs.
Read the analysis →Two distinct obligations: supervisory authority (GDPR art. 33, personal data, 72h) and national CSIRT (NIS2, cyber incident, early warning 24h). A ransomware case with personal data exfiltration can trigger both. See NIS2 explained.
Within 72 hours of becoming aware (art. 33). If the risk to data subjects is high, they must also be informed (art. 34). Every breach must be recorded in the breach register.
Fortgale covers the technical-forensic side: what happened, which data exfiltrated, evidence, containment. The legal assessment and the act of notification remain with the controller and the DPO or legal counsel.
With forensic analysis of logs, network traffic and artefacts: you reconstruct what the attacker actually copied out, distinguishing it from what was only encrypted. It is the basis of a defensible notification.
Up to EUR 10 million or 2% of global annual turnover. A timely notification backed by solid technical evidence is also a form of protection in the authority's assessment.
Talk to our analysts: we determine what was exfiltrated, collect the evidence for the notification to the supervisory authority and contain the incident. The legal assessment stays with your DPO or legal counsel, we provide the technical foundation.
No nurturing sequences, no auto-replies. One of our analysts calls you back within one business day.
The full Report (executive summary · operational IoCs · technical runbook) is restricted. Share two details and one of our analysts contacts you with access and a short technical briefing.
Response in 30 minutes, containment in 1–4 hours. Even if you are not a Fortgale customer.