A data protection breach in the company may have serious consequences. Of course, the goal is to avoid major and minor data breaches. But if a data leak does occur, it must be dealt with quickly and correctly. Find out how in this article.

When is there a data protection breach?

Basically, we speak of a data protection breach when secure data is leaked to the outside. This is usually the case when a hacker attack affects the system or malware has otherwise found its way into the system.

In essence, a data breach is the same as a data security breach. However, a breakdown is an unintentional data breach. A data breach is more likely to be referred to if the data leak was deliberately accepted.

However, the General Data Protection Regulation (GDPR) makes no distinction and defines a data breach as an “unintentional or unlawful violation of the protection of personal data”.

If personal data is leaked to the outside world, this is a data breach. Regardless of how it occurred. At first glance, this sounds like a major disaster. But it doesn’t have to be.

Data breaches come in different forms, and they don’t always mean the end of the company. Dealing with a data breach can require different measures.

The obligation to report data protection mishaps

In the case of serious data protection violations or data mishaps, there is a duty to notify the competent supervisory authority. The authority is then responsible for determining and initiating the consequences. These are usually high fines.

However, not every data protection breach has to be reported for a long time. What counts as a serious data protection breach can be defined on the basis of three factors:

A data protection breach has occurred as a result of the data protection breach.
Unauthorized access to data has occurred as a result of the data protection breach.
The access to the data has resulted in harm to data subjects or at least a risk to the rights and freedoms of data subjects

When and why this is the case can, of course, be interpreted in different ways. It is best to enlist the help of a security officer who brings expertise to the table. He or she knows what to look out for and when a serious data breach has occurred.

If a report has to be made, the supervisory authority must be informed within 72 hours. In this regard, the GDPR specifies this information that must be communicated to the supervisory authority:

Name and contact details of the data protection officer
a precise description of the data protection breach
the category to which the data protection breach belongs
the data sets that have fallen into the wrong hands and how many individuals are affected
the consequences for the data subjects
the actions you will take to mitigate the damage and resolve the data breach
a documentation of all information, steps and measures

This allows the supervisory authority to understand exactly what occurred and how you acted.

Compliance with the 72-hour deadline

It is essential to comply with the 72-hour deadline for notifying the supervisory authority. Otherwise, at least a very good justification should be provided. For example, that there were several attacks in quick succession and you were busy limiting the damage for the last 72 hours.

However, it is not mandatory to provide all information within the 72 hours. This is not always possible anyway. It is also sufficient to submit at least a basic report to the supervisory authority within the deadline for the time being. Further information can be submitted in a timely manner.

The notification is submitted electronically via the website of the competent supervisory authority.


A data protection breakdown in the company is not a nice thing. But it does not have to have serious consequences. The important thing is to act correctly and quickly. The reporting obligation only applies if it is a data protection breach that fulfills several factors. But then it is imperative to act promptly so that the consequences are not worse than they already are.