72 hours or a fine: the Mayor of Myślenice flagged — a reminder for Luxembourg

Excerpt — On 25 May 2026, the Polish authority (UODO) fined the Mayor of Myślenice for failing to notify a personal data breach within 72 hours (GDPR Art. 33). This case clarifies when the clock starts and what the CNPD concretely expects in Luxembourg.

The case

On 25 May 2026, the President of Poland’s UODO published decision DKN.5131.17.2025 against the Burmistrz Miasta i Gminy Myślenice (Mayor of the city and commune of Myślenice). Reason: failure to notify the supervisory authority of a personal data breach « without undue delay and, where feasible, not later than 72 hours », in breach of Article 33(1) GDPR. UODO imposed an administrative fine of PLN 7,700 and rejected the argument that a separate administrative proceeding (an individual complaint) removes the duty to notify the incident. Official sources: UODO’s decision register (entry DKN.5131.17.2025) and UODO’s news release of 25/05/2026. See: https://orzeczenia.uodo.gov.pl/document/urn%3Andoc%3Agov%3Apl%3Auodo%3A2025%3Adkn_5131_17/content and https://uodo.gov.pl/pl/138/4402.

Legal point emphasised: failure to notify within 72 hours is an autonomous infringement of Art. 33(1) GDPR, assessed independently from security measures under Art. 32 (technical issues do not erase the procedural obligation). The official register explicitly cites the legal basis: Art. 33(1) GDPR, « niezgłoszeniu […] nie później niż w terminie 72 godzin ». UODO source. For context, see the relevant GDPR provisions.

Legal reasoning

• Applicable text. Article 33 GDPR requires controllers to notify any personal data breach to the supervisory authority « without undue delay and, where feasible, not later than 72 hours after having become aware of it », unless the risk to rights and freedoms is « unlikely ». Minimum notification content: Art. 33(3) (nature of the breach, categories/approximate number of data subjects and records, DPO/contact, likely consequences, measures taken/proposed). Consolidated text: EUR‑Lex — Regulation (EU) 2016/679, Art. 33. https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32016R0679.
• EDPB Guidelines. The Guidelines « Personal data breach notification » WP250 rev.01 (endorsed by the EDPB) define « becoming aware »: the clock starts when the controller has a « reasonable degree of certainty » that an incident has led to a breach under Art. 4(12). They also confirm the option to file an initial, incomplete notification followed by updates (Art. 33(4)). https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-personal-data-breach-notification-under_en.
• CNPD (Luxembourg) position. The CNPD confirms the 72-hour requirement and provides an operational channel (databreach@cnpd.lu) to notify; where a high risk exists, communication to individuals (Art. 34) must follow « without undue delay ». For certain electronic communications providers, a 24-hour window (Regulation (EU) No 611/2013) applies. Official pages: « Data breaches » and « Forms ». https://cnpd.public.lu/fr/professionnels/obligations/violation-de-donnees.html and https://cnpd.public.lu/fr/formulaires.html.
• What the UODO decision adds. A parallel administrative procedure (e.g., an individual complaint) neither suspends nor replaces the 72-hour duty to notify the authority. It also shows that the assessment under Art. 83(2) does not erase the formal infringement of Art. 33(1): failure to notify is sanctionable in itself. UODO news (25/05/2026) and excerpts in the register. https://uodo.gov.pl/pl/138/4402 and https://orzeczenia.uodo.gov.pl/document/urn%3Andoc%3Agov%3Apl%3Auodo%3A2025%3Adkn_5131_17/content.

What this changes in practice for organisations in Luxembourg

• When the clock starts. T0 is not the end of forensics or internal sign-off: it is when there is sufficiently corroborated evidence that a breach under Art. 4(12) occurred (e.g., HR folder publicly exposed, shared mailbox deletion causing loss of availability, unauthorised CRM extraction). In reasonable doubt, submit an initial notification and follow up. Reference: EDPB WP250 rev.01. EDPB Guidelines.
• CNPD channel and expected content. In Luxembourg, prepare a template covering Art. 33(3) items and CNPD format (DPO details, description, measures). Notification address: databreach@cnpd.lu. Telcos/ISPs: 24 hours. CNPD 72-hour page and 24-hour notification for providers.
• Link with communication to individuals (Art. 34). If the risk is « high », communication must occur « without undue delay »; it can be deferred if a technical measure removes the risk (e.g., immediate API key rotation and token invalidation with strengthened MFA). Text: Art. 34 GDPR (EUR‑Lex) and CNPD reminder. EUR‑Lex and CNPD — Data breaches.
• Group governance. Luxembourg entities within a group must ensure internal escalation so the LU controller can notify the CNPD in time, even if the incident occurred at a processor or non-LU affiliate. EDPB Guidelines also recall that Art. 33(2) requires processors to notify the controller « without undue delay »: contract for a 24–48h window on the processor side to preserve the 72-hour margin. EDPB reference.
• DPO/CISO leadership. The UODO decision shows that « another procedure is ongoing » is not a shield. In Luxembourg, the DPO should have a clear mandate to trigger CNPD notification, supported by a written risk-qualification procedure and an internal breach register (Art. 33(5)). Security teams can leverage externalised CISO leadership to accelerate escalation and evidence gathering. CNPD — procedures and register: official page.

Concrete examples (Luxembourg/Greater Region)

• Luxembourg SME: a Microsoft 365 share accidentally exposes an HR folder to the domain; the DPO discovers external access 48h later. T0 = when the team has a reasonable basis to conclude a breach (e.g., access logs). Initial notification on day 2, followed by an update on day 5 with exact volumes.
• PSF bank: leak at a digitisation vendor in Lorraine. The processor must alert « without undue delay »; the bank (controller) assesses risk and notifies the CNPD within 72h. Cross-border aspects do not change the duty (Art. 33 and lead authority mechanism if cross-border processing).
• Telecom operator: customer database theft — 24h window (Regulation 611/2013) to CNPD + subscriber communication if adverse risk. CNPD reference for providers.

Common pitfalls

1. Waiting for “all” evidence before notifying. Wrong approach: the EDPB accepts an initial, incomplete notification followed by updates. The clock starts at « reasonable certainty », not at the end of forensics. EDPB Guidelines.
2. Confusing IT incident and GDPR breach. A simple outage with no personal data is not a breach. Conversely, prolonged unavailability of medical data (loss of availability) may be a breach even without leakage. Ref.: Art. 4(12) GDPR — EUR‑Lex. https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32016R0679.
3. Assuming “there’s already a complaint pending”. UODO confirms this does not remove the 72-hour duty to notify; Art. 33(1) is autonomous. UODO release.
4. Slow processor escalation. Art. 33(2) requires processors to alert the controller « without undue delay ». Contract for a firm 24–48h SLA and an escalation playbook. EDPB Guidelines and GDPR text: EDPB WP250 rev.01 and EUR‑Lex.
5. Forgetting CNPD channel and mandatory content. The CNPD expects a structured notification (Art. 33(3)) via databreach@cnpd.lu, plus internal documentation (Art. 33(5)). CNPD forms and CNPD obligations.

Official sources

• UODO (Poland) — Decision DKN.5131.17.2025 (Mayor of Myślenice), published 25/05/2026: https://orzeczenia.uodo.gov.pl/document/urn%3Andoc%3Agov%3Apl%3Auodo%3A2025%3Adkn_5131_17/content and release: https://uodo.gov.pl/pl/138/4402.
• GDPR (EU) 2016/679 — EUR‑Lex text (Arts. 33 and 34): https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32016R0679.
• EDPB — Guidelines on Personal data breach notification under Regulation 2016/679 (WP250 rev.01, endorsed by the EDPB): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-personal-data-breach-notification-under_en.
• CNPD (Luxembourg) — Data breaches (obligations, 72h / 24h, register; notification channel): https://cnpd.public.lu/fr/professionnels/obligations/violation-de-donnees.html, https://cnpd.public.lu/fr/professionnels/obligations/violation-de-donnees/notification_violation_securite.html and https://cnpd.public.lu/fr/formulaires.html.

Takeaway for executives/DPOs/CISOs in Luxembourg: define a clear T0, consider an initial notification when needed, contract short processor SLAs, use the CNPD channel without waiting for a “final” report, and maintain a register per Art. 33(5). To strengthen your setup, consider DPO support in Luxembourg.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.