Data Breach Notification

A data breach notification is a legal requirement to inform supervisory authorities and, in some cases, affected individuals when personal data has been compromised through a security breach. Under the GDPR, controllers must notify their supervisory authority within 72 hours of becoming aware of a breach that poses a risk to people's rights and freedoms, and directly notify affected individuals if the breach presents a high risk.

Legal Basis

"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

— Article 33(1), Regulation (EU) 2016/679 (GDPR)

"When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay."

— Article 34(1), Regulation (EU) 2016/679 (GDPR)

Why It Matters

Data breach notification obligations affect any organization that processes personal data in the context of political advertising services. For sponsors, publishers, and providers of political advertising services under Regulation 2024/900, this means that any unauthorized access to, loss of, or alteration of personal data used for targeting or ad delivery must be promptly reported to the relevant data protection authority.

The 72-hour notification window is strict and starts from when the organization becomes aware of the breach, not when they finish investigating it. Organizations must have internal processes to detect, investigate, and report breaches quickly. Failure to notify can result in fines of up to €10 million or 2% of global annual turnover under the GDPR.

For political advertising specifically, breaches involving targeting data, voter profiles, or political preferences are particularly sensitive. These breaches can expose individuals to manipulation, discrimination, or retalational harm, making timely notification critical to protecting democratic processes and individual rights.

Key Points

Controllers must notify their supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to risk individuals' rights and freedoms
If the breach poses a high risk to individuals, they must be notified directly without undue delay
Notifications must describe the nature of the breach, the categories and approximate number of individuals and records affected, and the measures taken to address it
Processors must notify controllers immediately upon discovering a breach so controllers can meet their own notification deadlines
Organizations should maintain documentation of all breaches, including those not reported, to demonstrate compliance
Penalties for failure to notify can reach €10 million or 2% of global annual turnover, whichever is higher

Data Breach Notification vs. Transparency Notice

While both involve disclosure obligations, data breach notification and transparency notices serve different purposes. A data breach notification is a reactive, incident-driven requirement triggered when personal data security is compromised. It must be delivered to supervisory authorities within 72 hours and to affected individuals when high risk exists.

A transparency notice (such as the privacy notice required under Article 13-14 GDPR or the transparency notice for political advertising under Regulation 2024/900) is a proactive, ongoing obligation to inform individuals about how their data is being processed before or at the time of collection. Transparency notices are preventative and informational; breach notifications are remedial and urgent.

Aspect	Data Breach Notification	Transparency Notice
Trigger	Security incident	Data collection/processing
Timing	72 hours (to authority)	Before/at collection
Audience	Authority + affected individuals	All data subjects
Purpose	Incident response	Ongoing transparency

Related Terms

Personal data
Data protection authority
Controller
Processor
GDPR compliance
Targeting techniques
Security measures
Supervisory authority
Privacy notice
Data subject rights

Very transparent. Every political ad will be labelled, linked to a transparency notice with detailed information, and online ads will be searchable in a central European repository.

The Network coordinates election-related cooperation between member states. National contact points for TTPA enforcement should be members of this network where possible.

Election campaigns will need to ensure all paid advertising includes proper labels and transparency notices. Sponsors must be prepared to provide required information to all service providers.

Several major platforms currently do not allow paid political advertising, including some large social networks. This limits where political actors can place paid online advertisements.

The TTPA applies from 10 October 2025. Member States had until 10 April 2025 to designate competent authorities, and the Commission must provide label templates by 10 July 2025.

Publishers must ensure completeness and accuracy of certain information but are not required to verify all sponsor claims. They must correct manifestly erroneous information when they become aware of it.

Yes. When a hosting provider and a website both display an ad, both are considered publishers with responsibility for their specific services. Contracts should clarify how they share compliance duties.

If a publisher removes or disables access to a political ad due to illegality or terms violations, they must still provide access to the transparency information for the full seven-year retention period.