When an organisation discovers it has suffered a personal data security breach, the first question that arises is: how much time do we have? The answer of Regulation (EU) 2016/679 (GDPR) is precise yet nuanced: 72 hours from the moment the data controller becomes aware of the breach, not from the moment it actually occurred. That distinction, contained in Article 33(1) of the GDPR, is the cornerstone of the entire notification protocol to the Agencia Española de Protección de Datos (AEPD — the Spanish Data Protection Authority) and, if mismanaged, can turn a technically correct response into a formal infringement.
This article focuses exclusively on the calculation of the deadline: when the clock starts, what it means legally to "become aware" of a breach, how the internal investigation phase interacts with the deadline, when the justified delay under Article 33(1) is valid, and when and how to use phased notification under Article 33(4) GDPR. For the minimum content required by Article 33(3), the differences between notification to the AEPD and communication to data subjects, the mandatory internal breach register, and the role of the data processor, see our companion article: How to notify a data breach to the AEPD within 72 hours.
When does the 72-hour deadline start?
The starting point of the calculation is the moment the data controller becomes aware of the breach. This wording — deliberately different from "when the breach occurs" — reflects the reality of security incidents: many attacks remain dormant for days or weeks before being detected, and requiring notification from the moment of the incident would have made the deadline impossible to meet in most cases.
The Article 29 Working Party (now the European Data Protection Board, EDPB) clarified in its Guidelines on Personal Data Breach Notification (WP250rev.01, adopted in February 2018) that a controller "becomes aware" when it has a reasonable degree of certainty that a security incident has occurred that has affected personal data. It is not necessary to have complete information on the scope of the breach; it is sufficient to know that something has happened that, with reasonable probability, constitutes a breach within the meaning of Article 4(12) GDPR.
In practice, the moment of awareness may be:
- Receipt of an alert from an intrusion detection system (SIEM, EDR, IDS).
- Notification from the data processor (cloud provider, hosting company) under Article 33(2) GDPR.
- A report from an employee or user who detects anomalous behaviour.
- Receipt of a request from the AEPD or a third-party notification that reveals the existence of the breach.
- Internal discovery during a security audit.
From that moment, the clock runs continuously, in calendar hours, without interruption for weekends or public holidays. A breach detected on a Friday at 18:00 must be notified no later than Monday at 18:00. The AEPD's electronic headquarters is available 24 hours a day, 365 days a year.
The preliminary investigation phase: when does one "know" there is a breach?
This is one of the most delicate points. When the security team detects an anomaly, it typically opens an internal investigation to confirm whether a breach has actually occurred and what its scope is. Does the deadline start during that investigation or at the end of it?
The EDPB has indicated that a reasonable initial investigation — lasting hours, not days — is compatible with the 72-hour deadline. However, prolonging that investigation beyond what is necessary in order to delay notification is incompatible with the principle of "without undue delay". The AEPD and other European supervisory authorities have sanctioned cases in which an organisation took days or weeks to notify, arguing it was still investigating.
The practical rule: if after 24–48 hours of investigation there is sufficient evidence that a breach with risk to data subjects has occurred, the notification process must be initiated even if the investigation has not concluded. That is precisely what phased notification is for.
If your organisation needs support structuring an incident-response protocol that distinguishes the analysis phase from the notification phase, at Summum Consultoria we provide end-to-end security breach management from detection to incident closure.
The justified delay under Article 33(1) GDPR
Article 33(1) of the GDPR acknowledges that in certain circumstances it may not be possible to notify within 72 hours. Where notification is made after that deadline, the controller must accompany it with a reasoned justification for the delay. The regulation does not set an explicit maximum cap for this additional margin, but the AEPD's and EDPB's enforcement practice shows that delays exceeding 7–10 days are difficult to justify except in cases of extraordinary technical complexity.
The justified delay is not a resource for waiting until all data are available before notifying: phased notification exists for that purpose. The admissible justification is one that demonstrates that detecting the breach itself required a reasonable amount of time and that the organisation acted diligently from the first moment it had indications of the incident.
Phased notification: when and how to use it
Article 33(4) of the GDPR expressly recognises the possibility of providing the required information in phases without further undue delay when it is not possible to provide it all at once. This gives rise to the so-called phased notification or staged notification.
The typical approach is as follows:
- Initial notification (within 72 hours): the AEPD is informed that a breach has occurred, with the information available at that time: approximate nature of the incident, categories of data likely affected, estimated number of data subjects, internal contact point, and containment measures taken so far. It is expressly stated that the notification is provisional and will be supplemented.
- Supplementary notification (in the following days): once the investigation is complete, the missing information is provided: exact number of data subjects affected, specific compromised records, impact analysis, definitive corrective measures, and an improvement plan.
The AEPD accepts this mechanism but requires that updates be submitted without unjustified delay. It is not acceptable to submit the initial notification to "stop the clock" and then leave the supplementary notification indefinitely pending.
The data processor and the start of the clock
When a breach is detected by a data processor (software provider, hosting company, cloud document manager), Article 33(2) of the GDPR requires it to inform the controller without undue delay. It is that internal communication which, in practice, marks the start of the 72-hour deadline for the controller. Data Processing Agreements must therefore include clauses setting a maximum period — typically 24 hours from detection by the processor — within which the processor will communicate the breach, so that the controller can meet its own notification obligation to the AEPD within the legal deadline. The remaining implications of the processor's role, the minimum content of the notification and the internal breach register are covered in the companion article on how to notify a data breach to the AEPD.
Sanctions regime: what the GDPR provides
Failure to comply with the breach notification obligation falls under Article 83(4) of the GDPR, which provides for fines of up to EUR 10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. When determining the level of a fine, the AEPD takes into account factors such as negligence versus intent, cooperation with the authority, harm caused to data subjects and measures taken to mitigate the effects. A late but voluntary notification accompanied by a reasoned justification is treated very differently from a deliberate omission.
Frequently asked questions
Is the 72-hour deadline calculated in calendar hours or business hours?
In calendar hours, without interruption for weekends or public holidays. Article 33(1) of the GDPR does not provide for any suspension of the calculation. If the controller detects the breach on a Saturday at 10:00, it has until Tuesday at 10:00 to notify the AEPD. That is why it is essential to have response protocols that can be activated outside normal office hours.
What happens if 72 hours have already passed by the time the internal investigation concludes?
Article 33(1) of the GDPR allows notification after the deadline when there are justified reasons for the delay, which must be explained in the notification itself. However, this leeway is not unlimited: the AEPD distinguishes between a reasonable investigation that runs a few hours or a day over and a delay that evidences a lack of diligence. The recommendation is to notify with the information available within 72 hours and complete the notification in phases (art. 33(4) GDPR), rather than waiting until all data are available.
Does the company have to notify if the breach was suffered by an external provider?
Yes, if that provider acts as a data processor for personal data whose responsibility lies with the company. The processor must inform the controller without delay (art. 33(2) GDPR), and the controller is the one who notifies the AEPD. The moment the controller receives that communication from the processor is normally the starting point of the 72-hour clock. That is why Data Processing Agreements must expressly regulate the time within which the provider will communicate the breach, normally no more than 24 hours from detection.