Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (Text with EEA relevance)RecitalsChapter I General provisions (arts. 1-3)Article 1 Subject matter and objectivesArticle 2 ScopeArticle 3 DefinitionsChapter II General principles (arts. 4-13)Article 4 Principles relating to processing of personal dataArticle 5 Lawfulness of processingArticle 6 Processing for another compatible purposeArticle 7 Conditions for consentArticle 8 Conditions applicable to a child's consent in relation to information society servicesArticle 9 Transmissions of personal data to recipients established in the Union other than Union institutions and bodiesArticle 10 Processing of special categories of personal dataArticle 11 Processing of personal data relating to criminal convictions and offencesArticle 12 Processing which does not require identificationArticle 13 Safeguards relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposesChapter III Richts of the data subject (arts. 14-25)Section 1 Transparency and modalities (art. 14)Article 14 Transparent information, communication and modalities for the exercise of the rights of the data subjectSection 2 Information and access to personal data (arts. 15-17)Article 15 Information to be provided where personal data are collected from the data subjectArticle 16 Information to be provided where personal data have not been obtained from the data subjectArticle 17 Right of access by the data subjectSection 3 Rectification and erasure (arts. 18-22)Article 18 Right to rectificationArticle 19 Right to erasure ('right to be forgotten')Article 20 Right to restriction of processingArticle 21 Notification obligation regarding rectification or erasure of personal data or restriction of processingArticle 22 Right to data portabilitySection 4 Right to object and automated individual decision-making (arts. 23-24)Article 23 Right to objectArticle 24 Automated individual decision-making, including profilingSection 5 Restrictions (art. 25)Article 25 RestrictionsChapter IV Controller and processor (arts. 26-45)Section 1 General obligations (arts. 26-32)Article 26 Responsibility of the controllerArticle 27 Data protection by design and by defaultArticle 28 Joint controllersArticle 29 ProcessorArticle 30 Processing under the authority of the controller or processorArticle 31 Records of processing activitiesArticle 32 Cooperation with the European Data Protection SupervisorSection 2 Security of personal data (arts. 33-35)Article 33 Security of processingArticle 34 Notification of a personal data breach to the European Data Protection SupervisorArticle 35 Communication of a personal data breach to the data subjectSection 3 Confidentiality of electronic communications (arts. 36-38)Article 36 Confidentiality of electronic communicationsArticle 37 Protection of information transmitted to, stored in, related to, processed by and collected from users' terminal equipmentArticle 38 Directories of usersSection 4 Data protection impact assessment and prior consultation (arts. 39-40)Article 39 Data protection impact assessmentArticle 40 Prior consultationSection 5 Information and legislative consultation (arts. 41-42)Article 41 Information and consultationArticle 42 Legislative consultationSection 6 Data protection officer (arts. 43-45 and draft art. 45a)Article 43 Designation of the data protection officerArticle 44 Position of the data protection officerArticle 45 Tasks of the data protection officerDraft Article 45aChapter V Transfers of personal data to third countries or international organisations (arts. 46-51)Article 46 General principle for transfersArticle 47 Transfers on the basis of an adequacy decisionArticle 48 Transfers subject to appropriate safeguardsArticle 49 Transfers or disclosures not authorised by Union lawArticle 50 Derogations for specific situationsArticle 51 International cooperation for the protection of personal dataChapter VI European data protection supervisor (arts. 52-60)Article 52 European Data Protection SupervisorArticle 53 Appointment of the European Data Protection SupervisorArticle 54 Regulations and general conditions governing the performance of the European Data Protection Supervisor's duties, staff and financial resourcesArticle 55 IndependenceArticle 56 Professional secrecyArticle 57 TasksArticle 58 PowersArticle 59 Obligation of controllers and processors to react to allegationsArticle 60 Activities reportChapter VII Cooperation and consistency (arts. 61-62)Article 61 Cooperation between the European Data Protection Supervisor and national supervisory authoritiesArticle 62 Coordinated supervision by the European Data Protection Supervisor and national supervisory authoritiesChapter VIII Remedies, liability and penalties (arts. 63-69)Article 63 Right to lodge a complaint with the European Data Protection SupervisorArticle 64 Right to an effective judicial remedyArticle 65 Right to compensationArticle 66 Administrative finesArticle 67 Representation of data subjectsArticle 68 Complaints by Union staffArticle 69 SanctionsChapter IX Processing of operational personal data by union bodies, offices and agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU (arts. 70-95)Article 70 Scope of the ChapterArticle 71 Principles relating to processing of operational personal dataArticle 72 Lawfulness of processing of operational personal dataArticle 73 Distinction between different categories of data subjectsArticle 74 Distinction between operational personal data and verification of the quality of operational personal dataArticle 75 Specific processing conditionsArticle 76 Processing of special categories of operational personal dataArticle 77 Automated individual decision-making, including profilingArticle 78 Communication and modalities for exercising the rights of the data subjectArticle 79 Information to be made available or given to the data subjectArticle 80 Right of access by the data subjectArticle 81 Limitations to the right of accessArticle 82 Right to rectification or erasure of operational personal data and restriction of processingArticle 83 Right of access in criminal investigations and proceedingsArticle 84 Exercise of rights by the data subject and verification by the European Data Protection SupervisorArticle 85 Data protection by design and by defaultArticle 86 Joint controllersArticle 87 ProcessorArticle 88 LoggingArticle 89 Data protection impact assessmentArticle 90 Prior consultation of the European Data Protection SupervisorArticle 91 Security of processing of operational personal dataArticle 92 Notification of a personal data breach to the European Data Protection SupervisorArticle 93 Communication of a personal data breach to the data subjectArticle 94 Transfer of operational personal data to third countries and international organisationsArticle 95 Secrecy of judicial inquiries and criminal proceedingsChapter X Implementing Acts (art. 96)Article 96 Committee procedureChapter XI Review (art. 97-98)Article 97 Review clauseArticle 98 Review of Union legal actsChapter XII Final provisions (arts. 99-101)Article 99 Repeal of Regulation (EC) No 45/2001 and of Decision No 1247/2002/ECArticle 100 Transitional measuresArticle 101 Entry into force and applicationDone at
Page Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2 
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Recently generated comparisons
None generated
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 17th June 2026
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application

AI Summary of Article 34 Notification of a personal data breach to the European Data Protection Supervisor

In the event of a personal data breach, controllers are obliged to notify the European Data Protection Supervisor within 72 hours of becoming aware of the incident, unless the breach poses no significant risk to individuals' rights and freedoms. If notification is delayed beyond this timeframe, justifications for the delay must be provided.

Notifications must include details such as the nature of the breach, affected data subjects, potential consequences, and remedial measures taken. Additionally, controllers must inform their data protection officer and maintain records that document the breach, impacting effects, and corrective actions for compliance verification.

PreviousNext
Version status: Applicable | Document consolidation status: No known changes
Version date: 12 December 2019 - onwards
Version 3 of 3

Article 34 Notification of a personal data breach to the European Data Protection Supervisor

DRAFT Paragraph replaced Article 4 Amendments to Regulation (EU) 2018/1725 (EUDPR) of the Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus) (COM(2025) 837 final / 2025/0360 (COD)) (updated 26 May 2026 with Opinion C/2026/2621)
View:
Current text Draft text as it may be read Compare current vs draft text Whole document current text vs draft text

1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the European Data Protection Supervisor, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the European Data Protection Supervisor is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

3. The notification referred to in paragraph 1 shall at least:

(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the data protection officer;

(c) describe the likely consequences of the personal data breach;

PreviousNext