Back to Blog
LegalTech & IA

Missed the 72-Hour GDPR Breach Notification Deadline? Here’s Your Emergency Plan

NakedPact Editorial Committee
Reviewer: Carmelo G.
Comitato Editoriale NakedPact
July 12, 2026
10 min read
Missed the 72-Hour GDPR Breach Notification Deadline? Here’s Your Emergency Plan

What to Do When You Can’t Notify the DPA in Time?

If you cannot notify the supervisory authority within 72 hours of becoming aware of a personal data breach, the GDPR requires you to provide a reasoned justification for the delay. This is not a get-out-of-jail-free card, but a structured way to show you acted in good faith.

Featured Snippet Bait: Under Article 33(1) of the GDPR, if you cannot notify the DPA within 72 hours, you must provide a reasoned justification for the delay. This means documenting why the breach was complex, what steps you took to investigate, and when you expect to submit the full notification.

Step 1: Document Everything Immediately

Start a breach log with timestamps: when you discovered the breach, what actions you took, and why you couldn’t meet the deadline. This log is your best friend if the DPA asks questions later.

Step 2: Send a Preliminary Notification

Even if you lack full details, send a brief initial notification within 72 hours. Include: what happened (as far as you know), approximate number of data subjects affected, and a timeline for the full report. This shows you’re not ignoring the obligation.

Step 3: Provide a Reasoned Justification

In your delayed notification, explain clearly why you couldn’t meet the deadline. Valid reasons include: the breach was complex (e.g., involved multiple systems), you needed forensic analysis, or you were waiting for third-party information. Avoid vague excuses like “we were busy.”

Step 4: Communicate with Affected Individuals

If the breach poses a high risk to rights and freedoms, you must also inform the data subjects without undue delay. This is separate from notifying the DPA. Use clear language and explain what they can do to protect themselves.

Step 5: Mitigate and Learn

Take immediate steps to contain the breach and prevent further damage. After the dust settles, conduct a post-mortem to improve your incident response plan. The DPA will look more favorably on organizations that show proactive improvement.

Remember, the 72-hour deadline is not a strict cutoff—it’s a “best effort” requirement. The key is to demonstrate you acted diligently. For official guidance, see Article 33 of the GDPR.

FAQ

What counts as a valid reason for delaying notification?

Valid reasons include: the breach was complex to investigate, you needed to involve external forensic experts, or you were waiting for critical information from a third party. Simply being understaffed or forgetting is not acceptable.

Can I be fined for late notification?

Yes, but fines are discretionary. The DPA will consider the severity of the breach, the reason for delay, and whether you took mitigating actions. A justified delay with good documentation reduces the risk of fines.

Should I notify data subjects even if I missed the DPA deadline?

Yes, if the breach poses a high risk to individuals’ rights and freedoms. Notifying data subjects is a separate obligation under Article 34. Do it as soon as possible, even if your DPA notification is late.

🚨 Emergency Breach Checklist

  • Document discovery time and initial actions
  • Send preliminary notification within 72h
  • Prepare reasoned justification for delay
  • Notify affected individuals if high risk
  • Contain breach and start mitigation
  • Conduct post-mortem and update IR plan
💡 Tip: Use a breach log template to timestamp every step. This shows the DPA you acted diligently.
NakedPact Logo

NakedPact Editorial Committee

Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.

Do you own a website?

Do you own a website?

Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.

🛡️ Protect your rights with one click

Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.

Don't trust, verify.

Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.

Analyze Your Contract Now

Rispettiamo la tua privacy

Usiamo i cookie per migliorare la tua esperienza e personalizzare gli annunci. Scopri di più.

NakedPact Logo

Estensione Chrome

Analizza i contratti e i Termini di Servizio direttamente sul tuo browser con l'estensione NakedPact.