breach72

GDPR Art. 33 · personal data breach

When is your
72-hour deadline?

Enter the moment you became aware of a personal data breach, in the right timezone. Get the exact Article 33 deadline to notify the supervisory authority — a live countdown to the strict 72-hour point, plus the weekend / public-holiday extension under Regulation 1182/71 that most calculators miss, and a reminder of the separate Article 34 duty to tell the affected people. Everything runs in your browser.

Examples:

Article 33 deadline — notify the supervisory authority

2d 23h 59m left to notify

Strict 72-hour deadline: Wednesday, 17 June 2026 at 04:52 UTC

Clock started (awareness)Sunday, 14 June 2026 at 04:52 UTC
Strict 72-hour deadlineWednesday, 17 June 2026 at 04:52 UTC

Also notify the affected individuals? (Article 34)

There is no 72-hour figure here. You must tell the data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms. You may be exempt if:

  • (a) the data was protected (e.g. strong encryption making it unintelligible);
  • (b) you took later measures so the high risk is no longer likely;
  • (c) it would take disproportionate effort — then make a public communication instead.

Computed in your browser from the moment of awareness — nothing is uploaded. Informational only, not legal advice; for a real breach involve your DPO and counsel. How it's computed →

Awareness entered: Sunday, June 14, 2026 at 04:52 (UTC).

Informational tool, not legal advice. For a real breach, involve your DPO and qualified counsel.

What it shows

One timestamp, the whole deadline picture

The strict 72-hour deadline

Awareness + 72 continuous hours, to the minute, in your timezone — with a live countdown and the exact calendar date and time.

The weekend extension others miss

If the 72-hour point lands on a Saturday, Sunday or holiday, Regulation 1182/71 may push it to the next working day. We show it — clearly caveated, not as a loophole.

When the clock really starts

From "awareness", not from when the breach happened or was detected. We make the start time explicit so you can defend it.

The Article 34 trigger

Whether you must also tell the affected individuals — the "high risk" test and the three exemptions, including encryption and disproportionate effort.

Already late?

Past the deadline it shows how long ago it passed and reminds you that Article 33(1) still requires notification "with reasons for the delay".

Nothing leaves your browser

100% static page, pure client-side JavaScript. No backend, no upload, no logs — fitting for a tool you'd reach for during an incident.

Open methodology

Exactly how the deadline is computed

No black box — every step follows the regulation text and EDPB guidance, so you can verify it.

The rules, in their own words

Art. 33(1)

“the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority… where the notification … is not made within 72 hours, it shall be accompanied by reasons for the delay.”

Art. 33(2)

“The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”

Art. 34(1)

“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”

Art. 34(3)

“Communication to the data subject … shall not be required if … (a) [protective measures such as encryption rendering data unintelligible were applied]; (b) [subsequent measures ensure the high risk is no longer likely]; or (c) it would involve disproportionate effort [then a public communication is made instead].”

Stated plainly: breach72 is an informational timer, not legal advice, and is not affiliated with any supervisory authority or the EU. The 72-hour rule and the texts above are quoted from the GDPR (Regulation (EU) 2016/679); the weekend extension follows Regulation (EEC, Euratom) No 1182/71 as referenced in the EDPB Guidelines 9/2022. National public holidays vary — check your supervisory authority. During a real breach, involve your DPO and qualified counsel.

Frequently asked questions

What does breach72 do?

Enter the exact moment your organisation became aware of a personal data breach, in the relevant timezone, and it shows the GDPR Article 33 notification deadline to the supervisory authority — the strict 72-hour point with a live countdown, plus whether that point falls on a weekend or public holiday and how Regulation 1182/71 may extend it to the next working day. It also reminds you when you separately have to notify the affected individuals under Article 34. Everything runs in your browser.

When does the 72-hour clock start?

From when the controller becomes "aware" of the breach — the point at which you have a reasonable degree of certainty that a security incident has compromised personal data — NOT from when the breach happened or was first detected. (EDPB Guidelines 9/2022.) If you are a processor, your duty under Article 33(2) is to notify the controller "without undue delay"; the controller's 72-hour clock then starts when they become aware.

Is the 72 hours counted in calendar hours or working hours?

Calendar hours. The 72 hours run continuously and include weekends and public holidays — the GDPR speaks in hours, not business days. The only adjustment is at the end: under Regulation (EEC, Euratom) No 1182/71 (referenced by the EDPB), if the deadline expires on a Saturday, Sunday, or public holiday, it is extended to the end of the next working day. breach72 shows both the strict 72-hour point and that extended date.

Can I really rely on the weekend extension?

Treat it with caution. The strict, safe reading is to notify within 72 continuous hours — Article 33 says "without undue delay and, where feasible, not later than 72 hours". The Regulation 1182/71 extension to the next working day is a recognised interpretation for when the deadline lands on a non-working day, but practice can vary by supervisory authority, and you must know which national public holidays apply. Use the extended date as a fallback, not a plan, and document your reasoning.

When do I also have to tell the affected people (Article 34)?

When the breach is "likely to result in a high risk to the rights and freedoms of natural persons", you must communicate it to the affected data subjects "without undue delay" — there is no fixed 72-hour figure for this. Article 34(3) lists exceptions: (a) the data was protected, e.g. strong encryption that makes it unintelligible; (b) you have taken later measures so the high risk is no longer likely; or (c) it would involve disproportionate effort, in which case you make a public communication instead. breach72 surfaces this as a decision aid, not an automated answer.

What if I have already missed the 72 hours?

Notify the supervisory authority immediately anyway. Article 33(1) expressly allows late notification provided it is "accompanied by reasons for the delay". A late notification is far better than none. breach72 will show how long ago the deadline passed so you can document it.

Does this handle my country's public holidays?

It handles weekends automatically. Public holidays differ by Member State and even by region, so breach72 does not assume them — it flags that a national public holiday could extend the deadline further and that you should check your supervisory authority's calendar. The safe course is to anchor on the strict 72-hour point.

Is this legal advice? Is my data private?

No — breach72 is an informational timer that applies published rules to a date you enter. It is not legal advice and is not affiliated with any supervisory authority or the EU. For an actual breach, involve your DPO and qualified counsel. On privacy: this is a static page; your timestamp is processed entirely in your browser, never uploaded, and nothing is logged.