According to the CIPP/E study guide, Article 33 of the GDPR requires data controllers to notify the

supervisory authority of a personal data breach without undue delay and, where feasible, not later

than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights

and freedoms of natural persons1. Article 34 of the GDPR requires data controllers to communicate

the personal data breach to the data subject without undue delay when the breach is likely to result

in a high risk to the rights and freedoms of natural persons2. Both articles specify the minimum

information that the data controller must provide to the supervisory authority and the data subject,

which includes: the nature of the breach, the categories and approximate number of data subjects

and personal data records concerned, the name and contact details of the data protection officer or

other contact point, the likely consequences of the breach, and the measures taken or proposed to

address the breach and mitigate its possible adverse effects12. However, neither article requires the

data controller to disclose the type of security safeguards used to protect the data, as this

information is not relevant for the purposes of notification and may even compromise the security of

the data further3. Reference: 1: CIPP/E study guide, page 84; Art. 33 GDPR; Guidelines 01/2021 on

Examples regarding Data Breach Notification2: CIPP/E study guide, page 85; [Art. 34

GDPR]; Guidelines 01/2021 on Examples regarding Data Breach Notification3: Personal Data Breach |

European Data Protection Supervisor; What is a data breach and what do we have to do … - European

Commission.

Reference: https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protectionimpact- assessments