Data Breaches: 72 Hours to Act, Every Minute Counts

A personal data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data — as defined by Article 4(12) of the EU General Data Protection Regulation (GDPR, Regulation 2016/679). Under Article 33 GDPR, the controller must notify the competent supervisory authority (in Spain, the AEPD) within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights. Where the breach is likely to result in a high risk, Article 34 also requires direct notification to the affected individuals. Failure to notify, or notification that omits required content, can itself constitute a separate GDPR infringement.

A data breach is one of the highest-pressure moments an organisation can face: detection typically occurs outside normal working hours, initial information is incomplete and uncertain, and the 72-hour clock starts running from the moment the organisation has reasonable knowledge of the incident. The difference between a well-managed breach and one that results in a serious sanction is not the incident itself — it is the quality of the response protocol.

Understanding the Dual Notification Obligation

The GDPR imposes a critical distinction that many organisations do not fully understand: the obligation to notify the AEPD (Article 33) and the obligation to communicate to affected individuals (Article 34) apply at different thresholds. AEPD notification is triggered when there is “a risk” to data subjects’ rights — a deliberately low threshold that captures the vast majority of real-world breaches. Communication to individuals is only mandatory when the risk is “high” — requiring a specific impact assessment for each breach. Getting this distinction right determines both what must be done and in what timeframe.

The First 72 Hours

Our response protocol is designed to function under pressure. From the moment of detection, we coordinate technical containment and legal notification analysis in parallel — not sequentially. We do not wait for complete information before initiating the AEPD notification: the GDPR explicitly permits phased notifications when full information is not available at the outset, and this flexibility is critical for meeting the deadline without sacrificing notification quality.

The AEPD notification is not a form-filling exercise. The authority’s enforcement decisions confirm that incomplete notifications, notifications that underestimate the scope of the breach, or notifications that fail to describe the measures taken are treated as compliance failures in themselves. Our notifications reflect the full technical and legal analysis of the incident, providing the AEPD with a complete picture from the first contact.

Post-Breach: From Incident to Improvement

The post-breach phase is as important as the immediate response. A data breach systematically reveals vulnerabilities in the privacy management system that go beyond the technical incident: processor contracts with no breach notification obligation, excessive retention periods that extended the breach’s scope, or absence of encryption on data that could have been protected. The privacy audit we conduct after each incident converts the breach into a genuine opportunity to improve the compliance system.

Coordination with the outsourced DPO is central to our response capacity: the DPO’s existing knowledge of the organisation’s data processing systems significantly accelerates the impact analysis and notification obligation assessment in the critical first hours of an incident. Organisations without a functioning DPO consistently take longer to respond and produce lower-quality notifications — a difference that shows up directly in enforcement outcomes.

NIS2 and DORA: Additional Notification Channels

For essential and important entities subject to the NIS2 Directive, a significant data breach will typically also constitute a significant cybersecurity incident triggering NIS2 notification obligations — an early warning to the competent authority (INCIBE-CERT or CCN-CERT) within 24 hours, followed by a more detailed report within 72 hours. For financial entities subject to DORA (Regulation 2022/2554), equivalent ICT incident reporting obligations apply to the Banco de España and/or the CNMV. These notification channels run in parallel with GDPR obligations and have different deadlines, different content requirements, and different addressee authorities. Our incident response service coordinates all regulatory notification obligations simultaneously.

The Reputational Dimension

Beyond regulatory sanctions, large data breaches have a reputational impact that is difficult to quantify but very real in its consequences. The quality of the initial breach communication — its accuracy, empathy, and operational clarity about what affected individuals should do — is a significant factor in how the reputational impact plays out. We advise on crisis communication alongside the regulatory notification, ensuring that public statements and individual communications are consistent, legally defensible, and designed to maintain rather than undermine trust.

Insurance Coordination

Data breach costs are increasingly insurable — notification expenses, forensic investigation, regulatory defence costs, and third-party claims are standard components of cyber insurance policies. But coverage is conditioned on specific obligations: the insurer must be notified within the policy’s own timeframes (typically shorter than the GDPR deadline), and coverage conditions usually require minimum security standards to have been in place before the incident. Coordinating the breach response with the insurer from the first hours — without compromising the regulatory notification process — requires careful management. Our response protocol includes a dedicated insurance coordination track alongside the regulatory notification process. If your organisation has not yet reviewed its cyber insurance coverage in the context of its current data processing activities, a breach is the wrong moment to discover the gaps.

Sectors Most Affected by Data Breach Exposure

Healthcare: hospitals, clinics, and health technology companies processing special-category health data under GDPR Art. 9 face the highest-severity data breach scenarios. Health data breaches trigger mandatory AEPD notification (Art. 33) and almost always require direct communication to affected patients (Art. 34). AEPD fines for health data breaches — where the controller has failed to implement adequate technical measures — can reach EUR 20 million or 4% of global turnover.

Financial services and FinTech: companies processing payment data, credit information, and financial account details are high-value targets and face parallel notification obligations to AEPD (GDPR), CNMV or Banco de España (DORA), and their payment scheme (Visa/Mastercard) simultaneously. The multi-channel notification and the financial sector supervisors’ scrutiny make financial sector breach management particularly complex.

Education and EdTech: platforms serving minors face heightened obligations under GDPR Recital 38. Any breach affecting children’s personal data is treated by the AEPD with particular severity, and the communication to affected individuals (parents or guardians) must be handled with specific sensitivity.

Professional services (law firms, advisors, accountants): hold highly sensitive client information under professional secrecy obligations. Breaches generate both GDPR notification obligations and professional ethics reporting obligations. The reputational impact of a data breach at a law firm or advisory firm can be existential.

Worked Example: 72-Hour AEPD Notification for a Healthcare Company

A Spanish digital health platform (150,000 registered users) suffered a ransomware attack that encrypted its patient records database. BMC was contacted 8 hours after detection.

BMC’s breach management:

• Initial impact assessment: confirmed that ransomware had accessed (not necessarily exfiltrated) encrypted patient records. GDPR risk assessment: high risk to rights and freedoms (health data, potential exposure of diagnoses and treatment records).
• AEPD notification filed at hour 68: complete initial notification describing the nature of the breach, the categories of data involved (health data, Art. 9), the approximate number of affected users (estimated 45,000 from the encrypted database partition), the likely consequences, and the technical and organisational measures taken to address the breach. The AEPD was informed that the investigation was ongoing and that a supplementary report would follow within 30 days.
• Individual notification decision: high risk to data subjects confirmed. Individual notification letters drafted and sent within 72 hours of the AEPD notification, describing the nature of the breach, the data involved, and recommended protective actions for each affected user.
• Post-incident: forensic investigation confirmed no exfiltration (encryption was the attack objective; the ransomware did not transmit data externally). AEPD supplementary report filed at day 28. No sanction issued; AEPD acknowledged the prompt and complete notification.
• Post-breach remediation: isolated the database environment, implemented network segmentation to prevent lateral movement, activated immutable offsite backups, and implemented privileged access management for database access.

Common Mistakes We Fix

1. Waiting for complete information before notifying the AEPD. The 72-hour clock runs from when the organisation has “reasonable knowledge” of the breach — not when the full investigation is complete. Waiting for forensic certainty before notifying typically results in a missed deadline. GDPR Art. 33 explicitly permits phased notifications; the initial notification can be supplemented with additional information as the investigation progresses.

2. Underestimating the scope of the breach in the initial notification. AEPD enforcement decisions consistently show that organisations that underestimate the number of affected individuals or the categories of data involved in initial notifications — and then report higher numbers in subsequent communications — are treated as having provided misleading information. Better to report a conservative estimate with a commitment to update than to under-report and then revise upward.

3. Not assessing whether individual notification is required. Many organisations notify the AEPD but fail to assess whether the breach also requires direct communication to affected individuals under Art. 34. The threshold is “high risk” (not just “risk”) — but organisations frequently default to not notifying individuals without conducting the required risk assessment. Failure to notify individuals when required is a separate GDPR infringement.

4. Not coordinating with the DPO before notifying. Organisations with a DPO (mandatory for public bodies, processors of special-category data at scale, and organisations conducting large-scale monitoring) must consult the DPO as part of the breach response process. Notifications filed without DPO involvement may omit legally required elements or take positions that are legally inconsistent.

5. Not reviewing processor contracts after a processor-caused breach. When a breach is caused by a data processor — a cloud provider, a payroll service, a marketing platform — the controller’s obligations to notify the AEPD and affected individuals do not diminish. The processor’s obligation to notify the controller promptly (Art. 33.2 GDPR) and the controller’s rights to conduct audits and receive indemnification under the Data Processing Agreement must be activated immediately. Many DPAs do not adequately address the controller’s rights in this scenario.

How We Work

Our data breach response service operates 24 hours a day, 7 days a week. When a breach is detected:

Hour 0-4: initial incident briefing, GDPR risk assessment, notification obligation determination, insurer notification.

Hour 4-48: AEPD notification drafting and review, individual notification decision and template drafting (if required), forensic investigation coordination.

Hour 48-72: AEPD notification filing, individual communications sent (if required), NIS2/DORA parallel notifications (if applicable).

Days 4-30: investigation support, supplementary AEPD report, post-breach remediation guidance.

Post-incident: AEPD inquiry management, third-party claim response, insurance claim coordination, privacy audit to prevent recurrence.

Annual breach simulation exercises are available to test the response protocol before a real incident — identifying weaknesses in the notification chain, the impact assessment process, and the insurance coordination procedure at a fraction of the cost of discovering those weaknesses during a real incident.

AEPD Enforcement Patterns: What Triggers the Highest Fines

Understanding the AEPD’s enforcement priorities for data breach cases is essential for managing the regulatory risk after an incident. The AEPD’s published decisions reveal consistent patterns:

Highest fines (EUR 1M+): systemic failure to implement adequate security measures that led to large-scale breaches; delayed or non-existent notification to affected individuals when the risk clearly warranted it; deliberate concealment of breaches or misrepresentation in notifications.

Mid-range fines (EUR 100K-1M): inadequate technical measures (lack of encryption on sensitive data, unpatched critical vulnerabilities); late AEPD notification (beyond 72 hours without justification); incomplete notifications that omitted required content.

Lower fines (under EUR 100K) or no fine: prompt and complete notification; adequate technical measures that limited the breach’s scope; proactive remediation measures implemented before the AEPD investigation concluded; demonstrated compliance programme even where specific controls failed.

The pattern is clear: the quality of the response matters as much as the incident itself. An organisation that responds promptly, transparently, and with demonstrated good faith is in a materially better position than one that delays, underreports, or fails to demonstrate a functioning compliance framework.

Limitation Periods and Historical Breaches

GDPR infringements are subject to a limitation period under Spanish administrative law of 4 years for serious violations. This means that breaches from 2022 onwards are potentially within the AEPD’s current enforcement window. Organisations that suffered breaches before implementing their current data protection frameworks — and that did not notify the AEPD at the time — face residual enforcement exposure if the AEPD becomes aware of the historical incident through a complaint, a media report, or a data subject rights exercise.

For organisations with historical breaches that were not notified, we advise on the risk assessment of voluntary late notification — which may reduce fine exposure compared to involuntary discovery by the AEPD — versus the risk of proactive disclosure. This is a legally nuanced decision that depends on the specific facts of the incident, the current regulatory posture of the organisation, and the AEPD’s likely response. Legal professional privilege attaches to the advice we provide in this context, protecting the deliberation from regulatory disclosure.

Regulatory Framework: GDPR Arts. 33-34, LOPDGDD, and AEPD Guidance

The data breach notification obligation in Spain is governed by:

GDPR Art. 33 (controller to supervisory authority): notification must reach the AEPD without undue delay and, where feasible, not later than 72 hours after the controller has become aware of the breach. If notification cannot be made within 72 hours, it must be accompanied by reasons for the delay. The notification must contain: the nature of the breach, the categories and approximate number of data subjects and records concerned, the name and contact details of the DPO, the likely consequences, and the measures taken or proposed to address the breach.

GDPR Art. 33.3 (phased notification): where complete information is not available at the outset, the initial notification may be supplemented in phases as additional information becomes available. This provision is operationally critical: the 72-hour deadline must be met with the information available at that point, even if the investigation is not complete.

GDPR Art. 34 (controller to data subjects): communication to affected individuals is required “without undue delay” when the breach is “likely to result in a high risk” to their rights and freedoms. High risk factors include: exposure of special-category data, financial data enabling fraud, data enabling identity theft, and breaches affecting large numbers of individuals.

LOPDGDD Art. 37: the Spanish Data Protection Act supplements the GDPR with specific provisions on the notification obligation, including the obligation to notify the AEPD of security incidents that could affect the personal data managed by public administrations.

AEPD Breach Notification Guide: the AEPD has published a guide on managing data breaches that specifies the required content of the Art. 33 notification, the risk assessment methodology for determining the Art. 34 communication obligation, and the documentation that controllers must maintain to demonstrate compliance with both obligations.

Third-Party and Processor-Caused Breaches

A significant proportion of data breaches originate at data processors — cloud providers, SaaS platforms, payroll services, marketing agencies — rather than at the controller’s own systems. GDPR Art. 33.2 requires the processor to notify the controller without undue delay after becoming aware of a breach. The controller’s notification obligation to the AEPD runs from when the controller itself becomes aware — which may be later than when the processor discovered the incident.

Managing a processor-caused breach requires simultaneous actions:

• Activating the DPA (Data Processing Agreement) provisions: notification obligation, audit rights, and indemnification.
• Conducting the controller-level impact assessment: what data was actually affected, and what is the risk to data subjects?
• Notifying the AEPD and (where required) affected individuals on the controller’s own timeline, regardless of the processor’s own communications.
• Preserving evidence of the processor’s breach notification obligations for potential legal action.

We manage processor-caused breaches through our coordinated response protocol, ensuring that the controller’s obligations are fulfilled independently of the processor’s response timeline and quality.

International Breaches: Cross-Border Notification

For organisations operating across multiple EU Member States, a data breach may trigger notification obligations to multiple data protection authorities. The GDPR’s one-stop-shop mechanism (Art. 56) applies to cross-border processing: the lead supervisory authority (the authority in the country of the controller’s main establishment) is the primary addressee of the Art. 33 notification, with other concerned authorities informed through the cooperation mechanism.

For Spanish companies with processing operations only in Spain, the AEPD is always the competent authority. For multinational companies with processing operations in multiple EU countries, determining the lead authority and managing the cooperation process requires coordination with counsel in the relevant jurisdictions. We coordinate cross-border breach notifications for Spanish companies with EU operations through our EU regulatory network.