When a security breach occurs in your organisation, the clock starts from the moment you become aware of the incident. The General Data Protection Regulation (EU) 2016/679 (GDPR) imposes a 72-hour deadline to notify the Spanish Data Protection Agency (AEPD), and not every organisation knows what steps to take or in what order. This article answers the most common questions with regulatory precision.
What is a data breach under the GDPR?
Article 4(12) of the GDPR defines a personal data breach as «a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed».
This covers three types of incident:
- Confidentiality breach: unauthorised or accidental access to or disclosure of personal data (a cyberattack that exfiltrates data, an email sent to the wrong recipient, a document accidentally published).
- Integrity breach: unauthorised or accidental alteration of personal data.
- Availability breach: loss or destruction of personal data (ransomware encrypting files, a hard drive failure without backup).
A security incident that does not affect personal data — for example, a production server outage that stores no personal information — is not a breach under the GDPR. But if that server hosts a CRM containing customer data and access is lost, an availability breach has occurred.
Must every breach be notified to the AEPD?
No. Article 33(1) of the GDPR states that notification to the supervisory authority is mandatory unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The practical rule: when in doubt, notify. Omitting a required notification constitutes an infringement that may fall within the sanctioning framework of Article 83 of the GDPR (up to €10,000,000 or 2% of total worldwide annual turnover, depending on the type of infringement).
The AEPD provides an indicative risk assessment tool to help determine whether an incident requires notification. It is not legally binding, but it documents your reasoning and reduces exposure if you can demonstrate that the decision not to notify was reasoned and documented.
What does Article 33 of the GDPR actually say?
Article 33 of Regulation (EU) 2016/679 requires the controller to:
- Notify the competent supervisory authority (in Spain, the AEPD) without undue delay and, where feasible, not later than 72 hours after having become aware of it.
- If notification cannot be made within 72 hours, accompany it with the reasons for the delay.
- Document any personal data breach, whether or not it is notified, including the facts, its effects, and the remedial action taken.
The processor (the supplier processing data on behalf of the controller) is obliged to inform the controller without undue delay after becoming aware of a breach (Art. 33(2) GDPR), but is not required to notify the AEPD directly: that obligation rests with the controller.
What information must the notification to the AEPD include?
Article 33(3) of the GDPR sets out the minimum content of the notification:
- The nature of the breach: type of breach (confidentiality, integrity, availability), categories and approximate number of data subjects affected, and categories and approximate number of personal data records concerned.
- The name and contact details of the data protection officer (DPO) or other contact point where more information can be obtained.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
Article 33(4) allows information to be provided in phases without undue further delay when it is not possible to provide all information at the same time. In practice, this means it is better to notify on time with partial information — and supplement it later — than to wait until you have every detail and miss the 72-hour deadline.
How do you notify the AEPD?
The AEPD has set up a dedicated channel through its electronic office. The procedure is called «Notificación de brechas de seguridad» (Notification of security breaches) and is available on the AEPD's electronic office. The organisation must identify itself using a digital certificate or the Cl@ve system and complete the form, which follows the structure of Article 33(3) GDPR.
There is no mandatory standardised template beyond the AEPD's online form, but organisations are strongly advised to maintain an internal incident record sheet containing: date and time of detection, description of the incident, data affected, systems involved, immediate measures taken, and the person responsible for incident management.
When must affected individuals be informed of the breach?
Communication to data subjects is a separate and additional obligation to notification of the AEPD, governed by Article 34 of the GDPR. This communication is mandatory when the breach is likely to result in a high risk to the rights and freedoms of natural persons. The threshold is higher than for authority notification: there must be not merely a risk, but a high risk.
Factors that elevate the risk assessment to «high» include: involvement of special categories of data (health, political opinion, racial or ethnic origin, criminal convictions), large number of individuals affected, possibility of direct financial or social harm (identity theft, financial fraud), or combinations of data enabling extensive profiling of individuals.
Communication to data subjects must be made without undue delay (the GDPR sets no specific number of hours here, but the AEPD recommends acting as soon as possible once the nature and scope of the breach are confirmed). It must describe, in clear and plain language, the nature of the breach, its likely consequences, and the measures taken or recommended.
Communication to data subjects is not required when any of the exceptions in Article 34(3) GDPR apply: the data were encrypted with a strong, inaccessible key; technical measures have been taken that eliminate the risk; or communication would involve a disproportionate effort, in which case a public communication is made instead.
What role does the DPO play in breach management?
The data protection officer (DPO), whose role is regulated under Articles 37 to 39 of the GDPR, must be informed immediately when a possible breach is detected. Their functions in this context include:
- Advising the controller on whether the incident constitutes a breach under the GDPR and whether notification is required.
- Coordinating the risk assessment and identifying which data and data subjects are affected.
- Supervising the preparation and submission of the notification to the AEPD.
- Acting as the contact point with the AEPD during the investigation.
- Documenting the incident in the internal breach register.
A DPO is mandatory in the cases set out in Article 37 of the GDPR: public authorities and bodies, organisations carrying out large-scale processing of special categories of data, and organisations whose core activities require large-scale systematic monitoring of data subjects. However, for organisations that do not have a mandatory DPO, the AEPD also recommends designating an internal contact point for incident management.
At Summum Consultoría, we accompany organisations through the management and notification of data breaches, from detection to closure, with protocols tailored to the size and sector of each organisation.
What must the internal breach register contain?
Regardless of whether the breach is notified to the AEPD, Article 33(5) of the GDPR requires the controller to document all personal data breaches. The register must include, at a minimum:
- Description of the facts (what happened, when, how it was detected).
- Effects of the breach (data affected, number of data subjects, observed consequences).
- Corrective measures taken (containment, recovery, preventive improvements).
- Decision on notification to the AEPD (with justification if notification was not required).
- Decision on communication to data subjects (with justification if communication was not required).
There is no prescribed format for this register, but it must be sufficiently detailed to demonstrate to the AEPD — in the event of a subsequent investigation — that the organisation acted with due diligence. Organic Law 3/2018 of 5 December (LOPDGDD) complements the GDPR in Spanish law without modifying this notification regime.
Frequently asked questions
Does the 72-hour clock start when the breach occurs or when it is detected?
The 72-hour period begins from the moment the controller becomes aware of the breach, not from when it occurred. This matters in attacks that may have started days before they are detected: the clock starts at detection. That said, organisations must maintain reasonable detection systems; claiming ignorance when there were obvious warning signs does not absolve liability.
If the breach is detected on a Friday evening, is the deadline suspended over the weekend?
No. The 72-hour deadline in Article 33(1) of the GDPR is counted in calendar hours, not working hours. A breach detected on Friday at 20:00 must be notified by Monday at 20:00 at the latest. The AEPD's electronic office is available around the clock. This reinforces the need for internal protocols that can be activated outside office hours.
What happens if notification is submitted late?
A late notification should still be submitted; it must be accompanied by an explanation of the reasons for the delay (Art. 33(1) GDPR, final clause). The AEPD takes transparency and cooperation into account positively. By contrast, the complete omission of a required notification may be sanctioned within the framework of Article 83 of the GDPR, with penalties of up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher.
Can the AEPD open an investigation even if the organisation notified correctly?
Yes. Notification does not shield the organisation from investigation. The AEPD may initiate proceedings of its own motion to verify whether adequate technical and organisational measures were in place before and after the breach. However, having notified on time and in full, and having documented the incident correctly, are factors the AEPD takes into account when assessing the organisation's diligence.
If a cloud provider suffers a breach, does it have to notify the AEPD?
If the cloud provider acts as a processor (processing data on behalf of the controller), its obligation is to notify the controller without undue delay, but not the AEPD directly. Notification to the AEPD is the controller's responsibility. This is why contracts with cloud providers must include data processing clauses that expressly regulate internal breach notification procedures and maximum response timelines.
If you wish to review your breach response protocols or need support managing an active incident, Summum Consultoría's data protection team is available to organisations in Castile and León and the Canary Islands.