Free GDPR Breach Notification Letter Pack (2026) — Word
Published Jul 15, 2026
By Orbiq Team

Free GDPR Breach Notification Letter Pack (2026) — Word

Art 33 authority notification + Art 34 data-subject letter, ready to adapt inside the 72-hour window. Free DOCX pack with breach log — no email gate.

GDPR
Breach Notification
Templates
Data Protection
Incident Response

Download this template

Version 1.0 · Updated Jul 15, 2026 · Free, no email required

GDPR Breach Notification Letter Pack (Word, PDF & Markdown)

This free GDPR breach notification letter pack contains the two documents you must be able to produce under pressure — the Article 33 notification to the supervisory authority (all four 33(3) elements, with a phased-notification flag and delay justification) and the Article 34 letter to data subjects in clear and plain language — plus the Article 33(5) internal breach log that records every incident, notified or not. Download it as Word (DOCX), PDF, or a machine-readable Markdown file your incident tooling can draft from.

When a breach happens, the clock is already running: the authority notification is due without undue delay and, where feasible, within 72 hours of becoming aware — and drafting it from a blank page mid-incident is how deadlines get missed. Average daily breach notifications across the EEA reached 443 per day in 2025, up 22% year-on-year per the DLA Piper GDPR Fines and Data Breach Survey: January 2026. This pack pre-builds both notifications so your incident team fills in facts instead of inventing structure. For the legal mechanics behind each document, see the dedicated guides: GDPR Article 33: The 72-Hour Breach Notification Rule and GDPR Article 34: Communicating a Breach to Data Subjects.

Key takeaways

  1. Two different letters, two different triggers. The authority notification (Article 33) is due when the breach is likely to result in a risk; the data-subject letter (Article 34) only when the risk is high. Many breaches need the first and never the second.
  2. The 72 hours belong to the authority, not the individuals. Article 33's deadline runs from awareness — the moment you have reasonable certainty a breach occurred, per EDPB Guidelines 9/2022 — while the Article 34 letter is "without undue delay" once high risk is established.
  3. Incomplete is acceptable; late without reasons is not. Article 33(4) permits phased notification, and the form carries an explicit initial/update flag. Notifying after 72 hours requires documented reasons for the delay.
  4. The breach log is the duty everyone forgets. Article 33(5) requires documenting every breach — including non-notifiable ones and your reasoning — so the supervisory authority can verify compliance. The pack's log sheet captures exactly that record.
  5. One pack covers EU, UK, and Norway. UK GDPR mirrors both articles (report to the ICO), and Norway applies the GDPR via the EEA Agreement (report to Datatilsynet through Altinn) — only the filing channel changes.

What's inside the pack

The core artifact is the authority notification form — the letter you file with your supervisory authority. Its fields map one-to-one to Article 33(3):

FieldWhat you enterLegal anchor
Controller & contact pointLegal entity, DPO or other contact for follow-up questionsArt 33(3)(b)
Awareness timestampWhen and how you became aware — this is where the 72-hour clock startsArt 33(1); EDPB Guidelines 9/2022
Nature of the breachWhat happened: confidentiality, integrity, or availability breach, and howArt 33(3)(a)
Data subjects & records affectedCategories and approximate numbers of bothArt 33(3)(a)
Likely consequencesRealistic harms: identity theft, fraud, financial loss, exposure of special categoriesArt 33(3)(c)
Measures taken or proposedContainment, remediation, and mitigation of adverse effectsArt 33(3)(d)
Phased-notification flagInitial / update / final, with an update logArt 33(4)
Delay justificationReasons, if filed after 72 hoursArt 33(1)
Cross-border sectionLead supervisory authority and other Member States concernedArt 56

Around the authority form, the download includes:

  • The Article 34 data-subject letter — a plain-language template covering what happened, which data was affected, the likely consequences, what you are doing about it, what the recipient should do (password resets, account monitoring, fraud alerts), and the contact point — the (b), (c), (d) elements Article 34(2) mandates, written for an ordinary reader rather than a lawyer.
  • A public-communication variant note — for the Article 34(3)(c) disproportionate-effort case, where a public statement must inform data subjects "in an equally effective manner."
  • The internal breach log — the Article 33(5) register: incident ID, awareness timestamp, facts, risk assessment, notify-authority and notify-subjects decisions with reasoning, and remedial action. This is the document that defends the breaches you correctly chose not to notify.
  • A notify-or-not decision aid — the two thresholds ("risk" → authority; "high risk" → individuals) and the three Article 34(3) exceptions as a one-page reference.

The Markdown variant carries the same content with machine-readable field definitions, so an AI agent or internal incident tooling can draft a compliant notification from the file alone.

How to use it: the 72-hour workflow

  1. Start the clock consciously. Log the awareness timestamp the moment a responsible person concludes with reasonable certainty that personal data was compromised — not when forensics finishes. This timestamp is the single most scrutinised fact in an Article 33 case.
  2. Assess the risk, then pick the documents. Unlikely to result in a risk → breach log only. Likely risk → authority notification. Likely high risk → authority notification plus the data-subject letter, unless an Article 34(3) exception applies (effective encryption with uncompromised keys, subsequent measures that remove the high risk, or disproportionate effort with a public communication instead).
  3. File within 72 hours, even if incomplete. Use the phased-notification flag rather than waiting for a full picture — the EDPB expects an initial filing with what you know. If you file late, the delay-justification field is mandatory, not optional.
  4. Send the data-subject letter without undue delay. Once high risk is established, promptness is the expectation; remember the supervisory authority can compel the communication under Article 34(4) if it disagrees with your assessment.
  5. Close the loop in the log. Record the final facts, effects, and remedial action in the breach register — including, for non-notified breaches, the reasoning that made them non-notifiable. Processors have a parallel duty to alert their controllers without undue delay under Article 33(2), so the log also records when your processors told you.

The legal basis behind each document

  • GDPR Article 33 creates the authority notification duty: without undue delay and, where feasible, not later than 72 hours after becoming aware, unless the breach is unlikely to result in a risk. Article 33(3)(a)–(d) fixes the minimum content — the form's field set. Article 33(4) permits phased filing; Article 33(5) requires the internal register.
  • Article 34 creates the data-subject communication duty at the high risk threshold, in clear and plain language, with the 33(3)(b)–(d) elements as minimum content, and the three 34(3) exceptions. Article 34(4) lets the authority order the communication.
  • EDPB Guidelines 9/2022 on personal data breach notification (version 2.0, adopted 28 March 2023) define "awareness," endorse phased notification for complex incidents, and specify that a non-EU controller subject to the GDPR notifies the supervisory authority of the Member State where its EU representative is established.
  • Article 83(4)(a) sets the fine tier for infringing either article: up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Authorities enforce notification discipline in its own right — the Polish DPA and Norway's Datatilsynet have fined organisations specifically for missing the 72-hour deadline, and late notification regularly appears as a separately sanctioned infringement alongside larger Article 32 security fines.

For how breach notification sits inside the wider regulation — principles, lawful bases, and the full 2026 obligations map — see the GDPR compliance pillar.

Using the pack in the UK and Norway/EEA

No structural adaptation is needed. UK GDPR retains Articles 33 and 34 in the same form: notifiable breaches go to the ICO without undue delay and within 72 hours via its online reporting form — around 30 minutes to complete — or by phone for urgent live incidents, with the same "unlikely to result in a risk" exception and the same duty to give reasons for late filing. Norway applies the GDPR through the personopplysningsloven via the EEA Agreement; Datatilsynet asks organisations to file breach notifications through the Altinn portal, on the same 72-hour clock. For a cross-border breach inside the EU/EEA, the one-stop-shop applies: you notify your lead supervisory authority — the authority of your main establishment under Article 56 — and the form's cross-border section captures exactly that determination.

Turn the letters into a workflow

A template gets the notification drafted; it does not assemble the evidence, track the objection-free timeline, or tell your customers what happened in a governed way. After the regulator is notified, enterprise customers ask the same questions — and answering them one security questionnaire at a time is slower than publishing the answer once. A Trust Center gives incident communication a permanent, governed home: Orbiq's trust-update workflow publishes incident notices to subscribed customers with an audit trail, the same channel used for subprocessor change notices — so the letter you download here becomes part of a repeatable process, with legal teams reviewing in the loop instead of in the blast radius.

Sources & References

  1. Regulation (EU) 2016/679 (GDPR) — Articles 33, 34, 56, 83 — notification duty and content (33(1), 33(3)), phased notification (33(4)), documentation duty (33(5)), processor duty (33(2)), data-subject communication and exceptions (34), lead authority (56), fine tier (83(4)(a)).
  2. EDPB Guidelines 9/2022 on personal data breach notification under GDPR (v2.0, adopted 28 March 2023) — awareness definition, phased notification, non-EU controller notification via the representative's Member State.
  3. EDPB — Notify a data breach (national contact points) — where to file in each Member State.
  4. ICO — Personal data breaches: a guide — UK GDPR reporting duty, 72-hour window, risk exception, compelled communication.
  5. Datatilsynet — Meld avvik til Datatilsynet — Norwegian breach notification via Altinn.
  6. DLA Piper GDPR Fines and Data Breach Survey: January 2026 — 443 average daily breach notifications across the EEA in 2025 (+22%).

Related Reading

Download this template

Version 1.0 · Updated Jul 15, 2026 · Free, no email required

Frequently Asked Questions

What should a GDPR data breach notification letter include?

The notification to the supervisory authority must contain at least the four elements of Article 33(3): the nature of the breach including the categories and approximate numbers of data subjects and records concerned, the name and contact details of the DPO or another contact point, the likely consequences of the breach, and the measures taken or proposed to address it and mitigate its effects. The letter to data subjects under Article 34(2) must describe the nature of the breach in clear and plain language and carry at least the contact point, likely consequences, and measures — the (b), (c) and (d) elements of the same list.

Is there a 72-hour deadline for notifying data subjects?

No. The 72-hour deadline in Article 33 applies to the notification to the supervisory authority. The communication to data subjects under Article 34 must happen 'without undue delay' once you establish that the breach is likely to result in a high risk to their rights and freedoms — there is no fixed hour count, but regulators expect it promptly, and the supervisory authority can order you to send it under Article 34(4).

Do I have to report every personal data breach to the supervisory authority?

No. Article 33(1) requires notification unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. But every breach — including the ones you decide not to notify — must be documented internally under Article 33(5), with the facts, effects, and remedial action, so the authority can verify your reasoning. That is what the pack's breach log is for.

What if I can't gather all the information within 72 hours?

Article 33(4) allows phased notification: file the initial notification within 72 hours with what you know, mark it as incomplete, and supplement it without undue further delay as the investigation progresses. The authority notification form in this pack includes a phased-notification flag and an update log so successive filings stay consistent.

Does encryption remove the duty to notify data subjects?

It can. Under Article 34(3)(a), communication to data subjects is not required if the affected data was protected by measures that render it unintelligible to unauthorised persons — encryption being the named example — provided the keys were not compromised. Two further exceptions exist: subsequent measures that eliminate the high risk (34(3)(b)), and disproportionate effort, in which case a public communication must inform data subjects equally effectively (34(3)(c)). The authority notification duty under Article 33 is unaffected by these exceptions.

Does this pack work for UK and Norwegian breaches?

Yes. UK GDPR carries Articles 33 and 34 in the same form — you report to the ICO via its online breach form (or by phone in urgent cases) within the same 72-hour window, with the same 'unlikely to result in a risk' exception. Norway applies the GDPR through the personopplysningsloven via the EEA Agreement; Datatilsynet asks organisations to file breach notifications through the Altinn portal. The pack's fields map one-to-one to both regimes.

Free GDPR Breach Notification Letter Pack (2026) — Word