Among all GDPR provisions dealing with data breaches, Article 34 is the one most visible to the public. While Article 33 governs when and how organizations must notify supervisory authorities, Article 34 shifts the focus to individuals whose personal data has been compromised. It defines when data subjects must be informed, how that communication must look, and when organizations may be exempt from notifying individuals.
Article 34 is not about paperwork or internal compliance. It is about trust, transparency, and harm prevention. The logic is simple: if a breach puts people at significant risk, they must know about it as soon as possible so they can protect themselves. Failing to do so undermines the core GDPR principles of fairness, transparency, and accountability.
What GDPR Article 34 Is About
GDPR Article 34 regulates communication of a personal data breach to the data subject. In essence, it answers three questions:
-
When must individuals be informed about a data breach?
-
What must that communication include?
-
When is communication to individuals not required?
Unlike Article 33, which applies to almost all breaches that pose any risk, Article 34 applies only when the breach is likely to result in a high risk to the rights and freedoms of natural persons.
This distinction is crucial. Not every breach triggers Article 34, but when it does, failure to comply can lead to severe consequences, including regulatory fines, lawsuits, reputational damage, and loss of customer trust.
The Core Rule of Article 34
Article 34(1) establishes the main obligation:
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
There are four important elements embedded in this sentence:
-
The obligation applies to the controller, not the processor.
-
The breach must pose a high risk, not just any risk.
-
Communication must be made directly to affected individuals.
-
The timing must be without undue delay.
Each of these elements carries legal weight and requires careful interpretation.
Who Is Responsible for Communicating the Breach?
Under Article 34, the duty to communicate lies exclusively with the data controller. Processors do not communicate with data subjects unless explicitly authorized by the controller.
In practice, this means:
-
Cloud providers notify their customers (controllers).
-
Employers notify employees.
-
Online platforms notify users.
-
Healthcare providers notify patients.
If a processor detects a breach, its obligation is to inform the controller promptly under Article 33(2). The controller then assesses whether Article 34 applies and whether individuals must be informed.
What “High Risk to Rights and Freedoms” Means
The concept of high risk is central to Article 34 and often misunderstood.
A high risk exists when the breach could realistically lead to serious harm for individuals, such as:
-
Identity theft or fraud
-
Financial loss
-
Discrimination
-
Reputational damage
-
Loss of confidentiality of sensitive data
-
Physical harm or safety risks
-
Loss of control over personal data
Not all personal data is equal. A breach involving encrypted email addresses is very different from a breach involving unencrypted medical records or government identification numbers.
Supervisory authorities generally consider the following factors when assessing high risk:
-
Type of personal data involved
-
Volume of data affected
-
Ease of identification of individuals
-
Severity of potential consequences
-
Vulnerability of affected individuals
-
Whether data was encrypted or otherwise protected
If, after assessment, the risk is considered high, Article 34 communication becomes mandatory.
Timing: What “Without Undue Delay” Really Means
Article 34 does not specify a fixed timeframe like the 72-hour rule in Article 33. Instead, it uses the phrase “without undue delay.”
This means:
-
Notification should happen as soon as the controller has sufficient information
-
Unnecessary internal delays are not acceptable
-
Perfection is not required, but transparency is
Controllers are allowed to:
-
Conduct a brief investigation
-
Confirm the scope of the breach
-
Prepare accurate messaging
They are not allowed to:
-
Delay communication for reputational reasons
-
Wait for legal advice indefinitely
-
Conceal or minimize known risks
If full details are not yet available, controllers can provide initial communication and follow up later with updates.
Required Content of the Communication
Article 34(2) sets clear requirements for what must be included in the communication to data subjects.
The message must be clear, plain, and understandable, and must include at least the following elements:
Description of the Breach
A brief explanation of what happened, written in non-technical language. Individuals should understand the nature of the incident without needing legal or IT expertise.
Contact Information
Details of a contact point where individuals can obtain further information, typically:
-
Data Protection Officer contact details
-
Privacy or security contact email
Likely Consequences
An explanation of the potential effects of the breach on individuals. This does not require speculation but should reflect realistic risks.
Measures Taken or Proposed
Information about steps already taken or planned to mitigate the breach, including guidance for individuals to protect themselves.
The goal is not legal compliance alone, but empowerment of individuals.
Form of Communication: How Individuals Must Be Notified
Article 34 requires direct communication to affected individuals unless this is impossible or disproportionate.
Acceptable communication channels include:
-
Email
-
Letter
-
In-app notifications
-
SMS (in limited cases)
Generic website notices or press releases are generally insufficient unless individual contact is not feasible.
The language must be:
-
Clear
-
Concise
-
Free of technical jargon
-
Free of misleading reassurance
Using overly vague or defensive wording can itself be considered non-compliance.
When Communication to Data Subjects Is NOT Required
Article 34(3) provides three exceptions where communication to individuals is not required, even if a breach occurs.
1. Data Was Properly Protected
If the controller implemented appropriate technical and organizational measures, such as strong encryption, and those measures render the data unintelligible to unauthorized parties, notification may not be required.
Encryption must be effective and properly implemented. Weak or outdated encryption does not qualify.
2. Risk Has Been Eliminated
If the controller has taken immediate measures that ensure the high risk is no longer likely to materialize, communication may not be required.
This is a narrow exception and requires strong evidence that harm is no longer plausible.
3. Disproportionate Effort
If individual communication would involve disproportionate effort, the controller may instead make a public communication or similar measure that is equally effective.
This exception applies mainly to large-scale breaches involving outdated or unreachable contact details.
The Relationship Between Article 33 and Article 34
Article 33 and Article 34 work together but serve different audiences:
-
Article 33 protects regulatory oversight
-
Article 34 protects individuals directly
It is entirely possible that:
-
Article 33 notification is required
-
Article 34 notification is not required
Conversely, failure to notify authorities under Article 33 often results in closer scrutiny of Article 34 compliance.
Example 1: E-Commerce Platform Payment Data Breach
An online store suffers a breach exposing customer names, billing addresses, and partially masked credit card numbers. The data is not encrypted.
Because the breach involves financial data and identity details, there is a high risk of fraud. The controller must notify affected customers directly, explaining what data was exposed, potential consequences, and steps such as monitoring bank statements or replacing cards.
Failure to notify customers would violate Article 34, even if payment processors are also involved.
Example 2: SaaS CRM With Encrypted Database
A CRM provider experiences unauthorized access to its customer database. However, all personal data is encrypted with modern encryption standards, and encryption keys were not compromised.
Although the breach must be reported to the supervisory authority under Article 33, communication to data subjects is not required under Article 34 because the data is unintelligible to attackers.
This example highlights how preventive security measures directly reduce notification obligations.
Example 3: Healthcare Provider Exposing Medical Records
A clinic accidentally sends patient medical reports to the wrong email recipients. The data includes diagnoses and treatment details.
Health data is highly sensitive, and the breach poses a high risk of discrimination and emotional harm. The clinic must inform affected patients without delay, clearly explaining what happened and offering support.
Even a small number of affected individuals can trigger Article 34 when sensitive data is involved.
Example 4: Employer HR File Leak
An internal HR folder containing employee salaries, performance reviews, and disciplinary records becomes accessible due to misconfigured access permissions.
The employer must notify affected employees because the breach could result in reputational damage, workplace conflict, and emotional distress.
A general internal announcement is insufficient. Individual communication is required.
Example 5: Lost Laptop With Strong Encryption
A company laptop containing customer contact details is stolen. The device is protected with full-disk encryption, strong passwords, and remote wipe capabilities.
Although a breach occurred, the risk to individuals is low because the data is protected. The company does not need to notify individuals under Article 34 but should document the decision and notify the supervisory authority if required.
Documentation and Accountability
Even when Article 34 communication is not required, controllers must document:
-
The breach
-
Risk assessment
-
Decision-making process
-
Mitigation measures
This documentation is essential to demonstrate compliance under the GDPR’s accountability principle.
Consequences of Non-Compliance With Article 34
Failure to comply with Article 34 can result in:
-
Administrative fines
-
Corrective orders from authorities
-
Civil claims from individuals
-
Reputational damage
-
Loss of customer and employee trust
Supervisory authorities increasingly focus on whether individuals were informed promptly and transparently.
Best Practices for Article 34 Compliance
Organizations should:
-
Maintain breach response playbooks
-
Pre-draft notification templates
-
Train staff on risk assessment
-
Involve DPOs early
-
Prioritize clarity over legal defensiveness
-
Test breach response processes regularly
Preparedness is the difference between compliance and crisis.
Conclusion
GDPR Article 34 is not merely a notification rule; it is a human-centric safeguard designed to protect individuals from harm when their personal data is compromised. It forces organizations to confront breaches openly, act responsibly, and respect the rights of data subjects.
Understanding when Article 34 applies, how to assess high risk, and how to communicate effectively is essential for any organization processing personal data in the EU or involving EU residents.