GDPR Article 34: Communicating a Data Breach to Data Subjects (2026)

GDPR Article 34: Communicating a Breach to Data Subjects

GDPR Article 34 requires a controller to communicate a personal data breach to the affected individuals — without undue delay — when the breach is likely to result in a high risk to their rights and freedoms. This is a deliberately higher threshold than the Article 33 duty to notify the supervisory authority: many breaches that must be reported to a regulator never need to be communicated to the individuals themselves.

Telling customers their data was exposed is the moment a breach stops being an internal incident and becomes a public, reputational, and legal event. Article 34 governs exactly when that moment is legally required, what you must say, and — just as importantly — the three situations where you are exempt.

Key Takeaways

• The trigger is "high risk" to individuals — a higher bar than the "risk" threshold that triggers notification to the authority under Article 33.
• The deadline is "without undue delay", not a fixed 72 hours. In practice, regulators expect prompt communication once high risk is established.
• The message must be in clear and plain language and contain three mandatory elements.
• Three exceptions apply (Article 34(3)): effective encryption, subsequent risk-mitigating measures, or disproportionate effort (allowing a public communication instead).
• The supervisory authority can compel communication (Article 34(4)) even if you concluded it was not required.
• Failure to communicate is fineable under Article 83(4) — up to EUR 10 million or 2% of global turnover.

Jump to:

• What Article 34 Requires
• High Risk vs. Risk: Article 34 vs. Article 33
• What Goes in the Communication
• Timing: "Without Undue Delay"
• The Three Exceptions
• When the Authority Can Compel You
• Fines and Enforcement
• The UK and Norway Position
• Operationalising Article 34

---

What Article 34 Requires

Article 34(1) of Regulation (EU) 2016/679 states the obligation directly:

"When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay."

The obligation is owed to the data subjects — the individuals whose data was breached — not to a regulator. It is the GDPR's transparency mechanism at its sharpest: people have a right to know when a breach exposes them to genuine harm, so they can take protective steps such as changing passwords, watching for fraud, or cancelling a card.

A breach is "likely to result in a high risk" when it could have significant adverse effects on individuals — for example discrimination, identity theft or fraud, financial loss, reputational damage, loss of confidentiality, or any other significant economic or social disadvantage. The EDPB Guidelines 9/2022 and the accompanying examples guidance treat the risk of identity theft as a particularly strong indicator: in the EDPB's worked examples, the breaches that require data-subject notification almost all involve that risk.

---

High Risk vs. Risk: Article 34 vs. Article 33

The single most misunderstood point about breach notification is that Articles 33 and 34 use two different thresholds and produce two separate decisions.

Dimension	Article 33 — Notify the authority	Article 34 — Communicate to individuals
Threshold	Likely to result in a risk	Likely to result in a high risk
Recipient	Competent supervisory authority	Affected data subjects
Deadline	72 hours from awareness	Without undue delay
Exceptions	Below the risk threshold	Three specific exceptions (Art. 34(3))
Fine tier	Up to €10M / 2% (Art. 83(4))	Up to €10M / 2% (Art. 83(4))

A breach can require notification to the authority (Article 33) without requiring communication to individuals (Article 34). A breach that triggers Article 34 will almost always also trigger Article 33. The controller's risk assessment — ideally completed during the same 72-hour window — must answer both questions, and document the reasoning either way under Article 33(5).

---

What Goes in the Communication

Article 34(2) requires the communication to describe, in clear and plain language, the nature of the personal data breach and to contain at least the same substantive elements as the authority notification, minus the technical breach-categorisation detail:

Element	What to include
Contact point	The name and contact details of the data protection officer or other contact from whom more information can be obtained
Likely consequences	A description of the likely consequences of the personal data breach
Measures taken	A description of the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects

"Clear and plain language" is a substantive requirement, not a stylistic preference. The communication is aimed at ordinary people, not lawyers — legalese, hedging, or burying the lede can itself be treated as non-compliance. Good practice is to lead with what happened, what data was involved, and concrete steps the individual should take now.

---

Timing: "Without Undue Delay"

Unlike Article 33, Article 34 sets no fixed numeric deadline — the standard is "without undue delay." That is not a licence to wait. Once you have established that the high-risk threshold is met, the clock on undue delay is running, and regulators expect communication to follow promptly. Recital 86 indicates that communication should be made as soon as reasonably feasible, in close cooperation with the supervisory authority and following its guidance.

In practice, controllers often coordinate the timing of the Article 34 communication with the supervisory authority that received the Article 33 notification, particularly where law enforcement requests a short delay to avoid compromising an investigation.

---

The Three Exceptions (Article 34(3))

Article 34(3) lists three circumstances in which communication to data subjects is not required:

Exception	What it means
Effective protection measures	The controller had implemented appropriate technical and organisational protection measures — in particular encryption — that render the personal data unintelligible to any unauthorised person. If the breached data is strongly encrypted and the keys were not compromised, the high risk to individuals is removed.
Subsequent mitigating measures	The controller has taken subsequent measures ensuring that the high risk to individuals is no longer likely to materialise — for example, promptly disabling compromised credentials or remotely wiping a lost device before access occurred.
Disproportionate effort	Individual communication would involve disproportionate effort. In that case, the controller must instead make a public communication or take a similar measure that informs the affected individuals equally effectively.

Encryption is the most important of the three in practice: it is the single most reliable way to take a breach below the Article 34 threshold, which is why "the breached data was encrypted at rest" is such a consequential fact in any incident assessment. This is a direct payoff of strong Article 32 security measures.

---

When the Authority Can Compel You (Article 34(4))

Even if a controller concludes that communication is not required, Article 34(4) gives the supervisory authority the power to override that judgment:

"If the controller has not already communicated the personal data breach to the data subject, the supervisory authority… may require it to do so, or may decide that any of the [exceptions] are met."

In other words, the controller's risk assessment is not the final word. A regulator that disagrees with your conclusion — that the risk was below the high-risk threshold, or that an exception applied — can order communication. This is a powerful reason to document the Article 34 assessment as rigorously as the notification itself: if the authority later questions your decision not to communicate, your contemporaneous reasoning is your defence.

---

Fines and Enforcement

Violations of Article 34 sit in the lower fine tier under Article 83(4): up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. As with Article 33, a failure to communicate can also support an Article 5(2) accountability finding, which sits in the upper tier (up to €20M / 4%).

Enforcement examples increasingly pair Articles 33 and 34 together:

• Poland (2025): The Polish supervisory authority fined the County Hospital in Września EUR 6,800 for infringement of Articles 33 and 34, and the National Public Prosecutor's Office EUR 19,800 for infringement of Articles 6, 33 and 34 (EDPB national news).
• High-profile breach fines such as British Airways (£20 million, ICO) and Marriott (£18.4 million, ICO) underline how breaches affecting millions of individuals attract scrutiny across the full notification chain — from security under Article 32 to communication under Article 34.
• Volume: with EEA breach notifications now averaging 443 per day (DLA Piper, January 2026), the proportion that escalate to data-subject communication is a key signal authorities monitor.

---

The UK and Norway Position

Like Article 33, the duty to communicate breaches to individuals is a pan-European standard rather than an EU-27 peculiarity.

United Kingdom. UK GDPR retains Article 34 in substance: where a breach is likely to result in a high risk to individuals, the controller must inform them without undue delay, with the ICO providing guidance and oversight. The Data (Use and Access) Act 2025 (Royal Assent 19 June 2025) did not weaken this obligation, and the European Commission moved to renew the UK's adequacy decision after reviewing the reforms — meaning EU–UK data flows continue and breach-handling expectations remain aligned. The high-profile ICO breach fines against British Airways and Marriott illustrate how UK enforcement tracks the EU's logic closely.

Norway and the EEA. Norway applies the GDPR through the EEA Agreement (in force since July 2018), so Article 34 binds Norwegian controllers in identical terms, supervised by Datatilsynet. Where a breach is likely to result in a high risk, affected individuals in Norway must be informed without undue delay — the same threshold, the same content requirements, the same exceptions. For organisations operating across the EU, EEA, and UK, the practical conclusion is that you should design one breach-communication playbook to the high-risk standard, not three.

---

Operationalising Article 34 in a Trust Center

Article 34 is the most reputationally sensitive moment in the breach lifecycle, and it is almost impossible to do well if you improvise it. Three pieces of pre-work make the difference:

1. A high-risk decision framework that maps breach types to the EDPB's risk indicators (identity theft, financial loss, special-category data), so the high-risk determination is consistent and defensible — and survives an Article 34(4) challenge.
2. A pre-approved, plain-language communication template containing the three mandatory elements, ready to populate, so you are not drafting customer-facing copy under legal and time pressure.
3. An encryption-status inventory, because whether breached data was rendered unintelligible (the first Article 34(3) exception) is frequently the fact that decides whether you must communicate at all.

This is where breach communication connects to the broader trust posture. The same continuous monitoring that evidences your security controls also tells you, at the moment of a breach, which data stores were affected and whether they were encrypted — the input to your Article 34 decision. Orbiq's Trust Center platform keeps that evidence current and audit-ready, and for the legal and DPO teams who own the communication decision, our Trust Center for legal teams guide shows how to keep the breach register, risk assessment, and notice workflow in one defensible place.

Read alongside its companion, Article 33 on the 72-hour rule, Article 34 completes the GDPR breach-response picture: notify the regulator when there is a risk, tell the people when there is a high risk, and document the reasoning for both — every time.

---

Sources & References

1. Regulation (EU) 2016/679 (GDPR) — Full Text — Official Journal of the European Union.
2. gdpr-info.eu — Article 34 (Communication to the Data Subject) — Article text and recitals.
3. gdpr-info.eu — Article 33 (Notification to Supervisory Authority) — Companion notification obligation.
4. EDPB Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0) — Risk assessment, high-risk examples, and communication guidance.
5. DLA Piper GDPR Fines and Data Breach Survey: January 2026 — 443 breach notifications per day across the EEA, up 22%.
6. Polish SA: administrative fine of €6,800 for failure to notify (Articles 33 and 34) — EDPB national news, 2025.
7. Polish SA: administrative fine of €19,800 (Articles 6, 33 and 34) — EDPB national news, 2025.
8. ICO — Personal data breaches: a guide — UK GDPR breach communication to individuals.
9. Data (Use and Access) Act 2025 — UK data protection reform overview — Norton Rose Fulbright analysis.
10. Datatilsynet — Norwegian Data Protection Authority — Breach notification guidance (Norway / EEA).

---

Related Reading

• GDPR Article 33: The 72-Hour Breach Notification Rule
• GDPR Compliance: Complete Guide for 2026 (Articles 28, 32, 33, 34)
• Subprocessor Management under GDPR Article 28
• Trust Center for Legal Teams
• Continuous Monitoring