GDPR Art. 33: Notify CNPD of a breach within 72h—without panic

In an incident, 72 hours go by fast. Here is a practical, operational method—grounded in official texts and CNPD guidance—to decide, notify, and document correctly.

The general rule

• Article 33 GDPR requires the controller to notify the competent supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it” of any personal data breach, unless the breach is “unlikely” to result in a risk to the rights and freedoms of natural persons. The minimum content is set out in Article 33(3)(a)–(d). Processors must inform the controller “without undue delay” after becoming aware (Art. 33(2)). Full text on EUR‑Lex. (eur-lex.europa.eu)
• In case of high risk, communication to data subjects is required under Article 34 “without undue delay,” with content aligned to 33(3)(b) to (d). (eur-lex.europa.eu)
• CNPD reminds that notification is required as soon as a risk exists and details the expected content and channel (dedicated address databreach@cnpd.lu and PGP key). Official “Personal data breaches (GDPR)” page. (cnpd.public.lu)

What the regulator says

• CNPD (Luxembourg). The dedicated page states: controllers “must notify within 72 hours of becoming aware if the breach is likely to result in a risk […]” and lists the minimum content (nature of the breach, DPO/contact, likely consequences, measures taken/proposed). It indicates the notification channel (databreach@cnpd.lu) and the option to use the PGP key. (cnpd.public.lu) CNPD also publishes useful statistics: 442 notifications received in 2024 (average 37/month) and more than half due to human error, per the 2024 annual report (annexes). (cnpd.public.lu)
• EDPB (European Board). Guidelines 9/2022 (final version of 4 April 2023) harmonize interpretation: start assessment without delay, document every breach (even if not notified), and, where necessary, notify in stages (initial notification then complement). (edpb.europa.eu) To practice risk qualification, Guidelines 01/2021 (practical examples) cover typical scenarios (misdelivery, ransomware, lost laptop, mailbox compromise, etc.) with “risk / high risk” analysis and expected mitigations. (edpb.europa.eu)
• Luxembourg public administration (practical reference). The CGPD brochure (government commissioner) clarifies common pitfalls: the 72‑hour clock starts once a “reasonable doubt” exists that a breach occurred; weekends/holidays do not justify delay; a preliminary notification is possible when not all information is available. (download.data.public.lu)

How to apply in practice

Use case: employee mailbox compromise with probable exfiltration of client files.

Before (preparation)

1. Define a 24/7 internal escalation process: who to alert, who decides (CISO/DPO), who drafts, who approves. Map processing activities (Art. 30 register) to identify data/volumes quickly. Align with CNPD notification fields (nature, categories/approximate volumes, DPO contact, consequences, measures). (cnpd.public.lu)
2. Tool up evidence collection: logs, EDR, SIEM, backups, exfiltration proof. Prepare ready-to-use templates for initial notification and data subject communication (Art. 34) in fr/de/en. Update policies per EDPB 9/2022 recommendations. (edpb.europa.eu)

During (the 72 hours)

1. T0 = the moment the organization has reasonable awareness of a breach (e.g., confirmation of unauthorized access). Launch a people-centric risk assessment (not only IT): data types, individuals’ vulnerability, likelihood of fraud/identity theft, volume, ease of identification. Use EDPB 01/2021 examples to calibrate risk/high risk. (edpb.europa.eu)
2. Decide:
   • If risk is likely: prepare CNPD notification (Word .docx per CNPD model; PGP-encrypted transmission possible). Justify any delay > 72h. (cnpd.public.lu)
   • If no risk: no CNPD notification, but record the incident in the internal breach register (mandatory). (cnpd.public.lu)
3. Notify if needed before H+72: include Article 33(3) minimum content + known facts to date; send a follow-up notification as soon as reliable new elements are available (practice validated by EDPB 9/2022). (eur-lex.europa.eu)
4. If high risk: prepare data subject communication “without undue delay” (clear language; nature of the breach; contact; likely consequences; measures taken/proposed; how to protect themselves). Choose an effective channel (letter, email, client portal; public notice if needed). (cnpd.public.lu)

After (remediation and evidence)

1. Corrective measures: account resets, secret rotation, stronger MFA, purge inappropriate data, reinforce transfer rules, patches, targeted awareness (human error is the top cause per CNPD 2024). (cnpd.public.lu)
2. Documentation: keep all elements that supported the assessment (timeline, evidence, risk scoring, decisions, notification versions, exchanges with CNPD). CNPD may request access. (cnpd.public.lu)
3. Lessons learned: update policies, run simulations, adjust controls (four-eyes principle on sensitive dispatch, DLP rules, access reviews). Use EDPB 01/2021 scenarios for exercises. (edpb.europa.eu)

Common pitfalls

1. Waiting for “absolute proof” before starting the clock. The 72-hour period starts at reasonable awareness; a preliminary notification is possible if information is still missing. (download.data.public.lu)
2. Focusing on IT impact and underestimating people risk. GDPR requires a rights-and-freedoms assessment; use EDPB criteria and examples (data type, population, exploitability). (edpb.europa.eu)
3. Failing to inform the DPO or mis-stating the contact point. Article 33(3)(b) requires the DPO/contact; CNPD pays attention to this. (eur-lex.europa.eu)
4. Not documenting “non-notified” incidents. The internal breach register is mandatory and may be inspected by CNPD. (cnpd.public.lu)
5. Mixing up CNPD notification and data subject information. These are separate obligations (Art. 33 vs Art. 34) with different triggers (risk vs high risk) and tailored content. (eur-lex.europa.eu)

Official sources

• Regulation (EU) 2016/679 (GDPR), Arts. 33 and 34 (official EUR‑Lex text). Link: https://eur-lex.europa.eu/eli/reg/2016/679/oj/ (see Articolo 33/Articolo 34 for consolidated text). (eur-lex.europa.eu)
• CNPD Luxembourg – Personal data breaches (GDPR): expected content, notification channel, internal register. Link: https://cnpd.public.lu/fr/professionnels/obligations/violation-de-donnees/violation-donnees-rgpd.html (EN version also available). (cnpd.public.lu)
• CNPD – Forms (including the breach notification form). Link: https://cnpd.public.lu/fr/formulaires.html. (cnpd.public.lu)
• CNPD – Annual report 2024 (Annexes): notification volumes and causes. Link (PDF): https://cnpd.public.lu/dam-assets/de/publications/rapports/cnpd/rapport-annuel-cnpd-2024-annexes.pdf. (cnpd.public.lu)
• EDPB – Guidelines 9/2022 on breach notification (final 4 April 2023). Link: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en. (edpb.europa.eu)
• EDPB – Guidelines 01/2021 “Examples” on personal data breach notification. Link (FR): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012021-examples-regarding-personal-data-breach_fr. (edpb.europa.eu)

Practical note: for publicly available electronic communications service providers, stricter rules (24h notification) apply under Regulation (EU) No 611/2013; CNPD details the specific procedure. (cnpd.public.lu)

In short: before a crisis, equip your people‑risk analysis and prepare templates; during, notify before H+72 even partially; after, record, remediate, and learn. This is what CNPD and EDPB expect in 2026. (cnpd.public.lu)

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.