When a personal data security breach occurs, many organisations focus all their efforts on notifying the Agencia Española de Protección de Datos (AEPD — Spain's data-protection authority) within the 72-hour deadline imposed by art. 33 of Regulation (EU) 2016/679 (GDPR). However, there is a second obligation that is often overlooked or handled late: the direct communication to the individuals whose data has been compromised, governed by art. 34 of the GDPR. This obligation has its own activation threshold, its own minimum content requirements and its own exceptions, and failure to comply can be sanctioned under art. 83 of the GDPR.
This article provides a rigorous normative analysis of the art. 34 GDPR regime: when the duty to communicate a breach to affected individuals arises, what that communication must say, when it can legitimately be omitted, and the role of the Data Protection Officer (DPO) throughout the process. If you would like to review the AEPD notification first, you can read our article on how to notify the AEPD of a security breach within 72 hours.
Art. 33 vs art. 34 GDPR: two distinct obligations
Before examining art. 34 in depth, it is worth clarifying the structural difference between the two communication obligations the GDPR imposes following a security breach:
| Aspect | Art. 33 GDPR — Notification to the AEPD | Art. 34 GDPR — Communication to individuals |
|---|---|---|
| Recipient | Supervisory authority (AEPD in Spain) | Data subjects / affected natural persons |
| Activation threshold | Likely risk to rights and freedoms | High likely risk to rights and freedoms |
| Deadline | Without undue delay; maximum 72 hours from becoming aware | Without undue delay (no specific number of hours) |
| Obligated party | Controller | Controller |
| Exceptions | Unlikely risk (art. 33.1) | Robust encryption, remedial measures, disproportionate effort (art. 34.3) |
| Channel | AEPD electronic portal | Direct communication to the data subject (or public communication where the exception applies) |
In short: art. 34 GDPR is triggered when the level of risk to individuals is more serious than the ordinary threshold of art. 33. An organisation may be required to notify the AEPD (art. 33) without being obliged to communicate to affected individuals (art. 34) if the risk, although present, does not reach the high level. The reverse — communicating to individuals without having notified the AEPD — would in practice be incoherent and barely justifiable.
The “high risk” threshold for the rights and freedoms of the individual
Art. 34.1 GDPR states that the controller “shall communicate the personal data breach to the data subject without undue delay, where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons”. Determining that high risk is not automatic: it requires a concrete assessment of the likelihood that the breach will cause real and significant harm to the individuals whose data has been compromised.
The AEPD Guide for the Management and Notification of Security Breaches, as well as the guidelines of the European Data Protection Board (EDPB), identify the factors that elevate a risk assessment to the category of high:
- Special categories of data: health data, racial or ethnic origin, religious beliefs, political ideology, genetic data, biometric data used for identification, data concerning sex life or sexual orientation, or data relating to criminal convictions and offences (arts. 9 and 10 GDPR). Exposure of any of these data categories almost automatically elevates the risk.
- Financial or banking data: card numbers, online banking credentials, current account details. The risk of direct financial fraud is immediate.
- Children's data: any breach affecting data of minors warrants a reinforced risk assessment given their particular vulnerability.
- Data of vulnerable individuals: patients, persons in social exclusion, victims of violence.
- Combination of data enabling identity theft: for example, full name + national ID number + date of birth + address, or access credentials to digital services.
- Large number of individuals affected: the greater the volume of affected persons, the greater the scale of potential impact, although volume alone is not decisive.
- Risk of permanent or hard-to-reverse harm: disclosure of health data or intimate images, for example, can cause reputational or psychological damage that has no immediate remedy.
The risk assessment must be documented regardless of the outcome: if the conclusion is that there is no high risk and therefore no communication to individuals is made, that decision must be justified in the internal security breach register required by art. 33.5 GDPR.
Minimum content of the communication to the individual
Art. 34.2 GDPR states that the communication to data subjects must describe, “in clear and plain language”, the following elements:
- Nature of the breach: what type of incident occurred (unauthorised access, device theft, accidental disclosure, ransomware, etc.) and what personal data was affected.
- Contact details of the DPO or contact point: the name and contact details of a person or team to whom the affected individual can turn for further information or to exercise their rights.
- Likely consequences of the breach: what may happen to the individual as a result of the breach (identity theft, unauthorised access to their accounts, reputational damage, etc.).
- Measures taken or proposed by the controller: what the organisation is doing to remedy the breach and to reduce or eliminate its adverse effects on individuals. This may include specific recommendations for the individual to protect themselves (password change, card cancellation, banking fraud alert).
The communication must be written in language that the individual can understand, free from legal or technical jargon that would hinder comprehension of the real risk they face. Sending a copy of the technical incident report is not sufficient; the controller must draft a text specifically for the affected persons, with clear instructions and an accessible contact channel.
As for the channel, the GDPR does not prescribe a specific medium, but common practice and AEPD recommendations point to the usual communication channel with the data subject (email if available, postal letter if there is no electronic address, or even telephone in high-impact cases). Where the number of affected individuals is very large and individual communication is disproportionate, the disproportionate-effort exception (art. 34.3.c) may be invoked, as analysed below.
If your organisation has suffered a breach and needs guidance drafting this communication or assessing the risk level, at Summum Consultoría we support companies in the end-to-end management of security breaches, from detection through to the documentary closure of the incident.
Exceptions: when communication to the individual is not required
Art. 34.3 GDPR sets out three exceptions that allow the controller not to communicate directly to data subjects, even if the incident has exceeded the high-risk threshold. These exceptions are to be interpreted strictly and must be substantiated with documentation.
First exception: data encrypted with adequate technical safeguards
Communication to affected individuals is not required if the controller “has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption” (art. 34.3.a GDPR).
This exception applies when:
- The data was encrypted with a robust algorithm and the decryption key was not compromised in the breach.
- The data was pseudonymised in a way that does not allow the data subject to be identified without an additional key that remains under the controller's control.
The exception does not apply if the attacker also obtained the encryption key, if the encryption used is weak or obsolete, or if the stolen data includes both the encrypted data and the decryption mechanisms. In case of doubt, the safest approach — and the one recommended by the AEPD — is to communicate to affected individuals nonetheless.
Second exception: corrective measures that eliminate the high risk
If the controller has adopted technical or organisational measures after the breach that ensure the high risk to the rights and freedoms of data subjects is no longer likely, communication may be omitted (art. 34.3.b GDPR). An example would be a database accessed without authorisation whose data has been verifiably destroyed before being used, or a compromised account whose password has been reset and access cancelled before any harmful actions occurred.
This exception requires objective evidence that the risk has been neutralised, not merely an expectation or presumption. The burden of demonstrating that the risk has disappeared lies with the controller.
Third exception: disproportionate effort and alternative public communication
Where individual communication to each data subject “would involve disproportionate effort”, art. 34.3.c GDPR allows it to be replaced by a public communication or similar measure by which data subjects are informed in an equally effective manner. This is the most delicate exception, as it may be invoked incorrectly as a shield to avoid individual communication simply because it is inconvenient or costly.
The AEPD takes the view that disproportionate effort must be assessed objectively: the number of affected individuals is very high, no up-to-date contact database exists, or the costs of individual communication would be extraordinarily high relative to the real impact of the breach. The fact that communication is merely inconvenient or ordinarily costly is insufficient.
Where public communication is chosen, it must be genuinely accessible to affected individuals: publishing a notice in a low-visibility section of the corporate website or in the legal notice does not meet the requirement. Media such as press releases in relevant outlets, posts on widely followed social media channels, or publications in the relevant Official Gazette if the scale of the breach justifies it should be considered.
When must communication be made? The concept of “without undue delay”
Unlike art. 33 GDPR, which sets a maximum of 72 hours for notification to the AEPD, art. 34 does not specify a number of hours for communication to individuals. The phrase used is “without undue delay”, which in practice means as soon as is reasonably possible, once the nature and scope of the breach have been confirmed.
The AEPD recommends that communication to affected individuals be made, as far as possible, contemporaneously with or immediately after the notification to the Authority itself. In any event, delay is only justified if premature communication — before the full extent of the incident is known — could cause unnecessary confusion or alarm. That waiting period to verify the facts should be the minimum strictly necessary and must be documented.
In large-scale incidents affecting thousands or millions of individuals — such as those occurring on digital platforms or at financial institutions — communication may require a phased plan, but this does not exempt the organisation from acting as quickly as possible. The AEPD Guide for the Management and Notification of Security Breaches provides specific guidance for these scenarios.
The DPO's role in communicating with affected individuals
The Data Protection Officer (DPO), whose appointment is mandatory in the cases set out in art. 37 GDPR and which many organisations fulfil through an external DPO, plays a central role in deciding whether communication to affected individuals is required and in supervising its content and channel.
Their specific functions in relation to art. 34 GDPR include:
- Assessing whether the risk associated with the breach reaches the high-risk threshold that triggers the communication obligation.
- Reviewing the draft communication to ensure it meets the requirements of art. 34.2 (plain language, complete content, correct contact details).
- Advising on whether any of the exceptions in art. 34.3 apply and documenting the reasoning.
- Coordinating with communications, customer service and technology departments to ensure the communication reaches as many affected individuals as possible through the most appropriate channel.
- Acting as the contact point for individuals who wish to exercise their rights or request further information.
- Recording the entire process in the incident record of the internal security breach register.
In organisations without a designated DPO, these functions must fall to the person or team responsible for data protection, supported by a specialist external adviser if the complexity of the incident so requires. The Summum Consultoría team provides security breach management support services to organisations in Castilla y León and the Canary Islands, with offices in Valladolid, Burgos, Palencia, Aranda de Duero and Las Palmas.
Sanctions for non-compliance with art. 34 GDPR
Failure to fulfil the obligation to communicate a breach to affected individuals when legally required falls under art. 83.4 GDPR, which provides for fines of up to EUR 10,000,000 or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher. This is not an infringement at the maximum level of art. 83.5 (which reserves the highest sanctions for violations of fundamental processing principles or data subjects' rights), but the potential amount remains significant for any organisation.
The LOPDGDD (Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights) complements the GDPR in the Spanish legal order and confers the corresponding sanctioning powers on the AEPD. When assessing the seriousness of the infringement, the AEPD takes into account factors such as the nature, gravity and duration of the infringement, the number of data subjects affected, the level of damage suffered, whether the infringement was intentional or negligent, and the measures adopted to mitigate the harm.
It is important to note that the AEPD can sanction not only for failure to communicate to individuals: it can also investigate whether the communication was made late, whether its content was incomplete or confusing, or whether the invoked exception (encryption, disproportionate effort) was not adequately justified.
Frequently asked questions
Must the breach be communicated to individuals if the AEPD has already been notified?
These are independent obligations. Notification to the AEPD (art. 33 GDPR) is triggered by any breach with a likely risk to individuals' rights and freedoms. Communication to individuals (art. 34 GDPR) is only mandatory when that risk is high. It is entirely possible for an organisation to be required to notify the AEPD but not the affected individuals, if the risk level, although present, does not reach the “high” threshold. The reverse — communicating to individuals without having notified the AEPD, where notification was required — would also constitute a breach of art. 33.
What if the contact details of the affected individuals are outdated or incomplete?
If the controller does not have up-to-date contact details for all affected individuals, it must attempt to contact them via the most effective available channel and document the efforts made. If the situation affects a significant number of individuals and makes individual communication unfeasible, the disproportionate-effort exception under art. 34.3.c GDPR may apply, replacing direct communication with a public communication that is equally effective. In any case, the AEPD expects the controller to demonstrate that all reasonable avenues were exhausted before resorting to this exception.
Can the AEPD require the controller to communicate the breach to individuals even if the controller decided not to?
Yes. Art. 34.4 GDPR expressly states that “where the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met”. The AEPD, in the context of an investigation or active supervision, can order the controller to make the communication if it considers that the high-risk threshold is met and that none of the exceptions under art. 34.3 is applicable.
Must communication to individuals be provided in all the languages of the data subjects?
The GDPR requires the communication to be in “clear and plain language” (art. 34.2), which means the individual must be able to understand it without difficulty. If the affected data subjects speak languages other than that of the organisation, the communication should be made in the data subject's language, or at least in a language they can reasonably be expected to understand. The EDPB guidelines on breach communication stress this point, particularly in cross-border contexts or for organisations operating across multiple EU Member States.