GRCWatch
Sign inStart free trial

GDPR Article 34: Communicating Data Breaches to Affected Individuals

When a personal data breach poses high risk to individual rights and freedoms, GDPR Article 34 requires you to notify affected data subjects without undue delay. This control is non-negotiable—failure to notify can result in fines up to €20 million. Understanding what, when, and how to communicate is critical for compliance and maintaining customer trust.

What this means

Article 34 mandates that organizations must proactively inform data subjects when a breach is likely to create high risk to their rights and freedoms. Unlike Article 33 (which requires notifying regulators), this control focuses on direct communication with individuals. You must describe the breach nature, provide contact details, explain likely consequences, and outline protective measures already taken or planned. The notification must be clear, timely, and written in plain language—no legal jargon.

How to comply

  1. 1.Assess breach severity immediately after discovery using your Data Protection Impact Assessment (DPIA) process to determine if high risk to rights/freedoms exists
  2. 2.Prepare notification content that includes: specific breach nature, approximate date/time, personal data categories affected, potential consequences for individuals, and measures implemented or planned
  3. 3.Communicate directly to affected data subjects without undue delay via email, SMS, or published notice—choose methods that reach your audience reliably
  4. 4.Include a dedicated contact point (DPO email or support line) where individuals can ask questions or request further information
  5. 5.Document all notification efforts: recipient lists, timing, content, delivery method, and responses received
  6. 6.Maintain records for at least 3 years to demonstrate compliance if regulators conduct audits
  7. 7.Coordinate with your Data Protection Officer (DPO) and legal team before sending notifications to avoid inconsistency or legal exposure

Evidence auditors look for

  • Timestamped breach notification emails sent to affected individuals with breach description and contact information
  • Breach register entries showing assessment date, high-risk determination, and notification decision rationale
  • Customer-facing breach notification templates pre-approved by legal and DPO
  • SMS or push notification logs proving timely communication to subjects without access to email
  • Published notices on company website for breaches affecting large populations or individuals unable to be reached individually
  • Screenshots of support ticket responses to individual inquiries about breach consequences and protective measures
  • Audit trail showing coordination between Incident Response, Legal, and DPO teams before notification dispatch

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates breach severity assessment, pre-populates notification templates with required GDPR language, logs all communications with timestamps, and tracks individual responses—eliminating manual spreadsheets and reducing Article 34 notification time from days to hours.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR-A33-01 — Notification of Personal Data Breach to Supervisory AuthorityGDPR-A32-01 — Security of ProcessingGDPR-A30-01 — Records of Processing Activities (ROPA)GDPR-A35-01 — Data Protection Impact Assessment (DPIA)