GDPR Art. 33 · personal data breach
When is your 72-hour deadline?
Enter the moment you became aware of a personal data breach to get the exact Article 33 deadline to notify the supervisory authority — the strict 72-hour point, the weekend / holiday extension under Regulation 1182/71, and the separate Article 34 trigger. All in your browser.
Open the calculator ↗One timestamp, the whole picture
Awareness + 72 continuous hours, to the minute, in your timezone, with a live countdown.
If the deadline lands on a Saturday, Sunday or holiday, Reg 1182/71 may push it to the next working day — clearly caveated.
From "awareness", not occurrence or detection (EDPB Guidelines 9/2022).
Whether you must also tell affected individuals: the "high risk" test and three exemptions.
The rules, in their own words
“the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority… where the notification … is not made within 72 hours, it shall be accompanied by reasons for the delay.”
“The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”
“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
“Communication to the data subject … shall not be required if … (a) [protective measures such as encryption rendering data unintelligible were applied]; (b) [subsequent measures ensure the high risk is no longer likely]; or (c) it would involve disproportionate effort [then a public communication is made instead].”
Why it matters
The 72-hour clock has subtleties that catch people out: it starts at awareness, runs in calendar hours, and can shift at the end on a non-working day. breach72 applies the regulation text and EDPB guidance with a disclosed method — no black-box answer — and runs entirely client-side, so nothing you enter is uploaded. It is informational only, not legal advice, and not affiliated with any supervisory authority.
Frequently asked questions
What does breach72 do?
Enter the exact moment your organisation became aware of a personal data breach, in the relevant timezone, and it shows the GDPR Article 33 notification deadline to the supervisory authority — the strict 72-hour point with a live countdown, plus whether that point falls on a weekend or public holiday and how Regulation 1182/71 may extend it to the next working day. It also reminds you when you separately have to notify the affected individuals under Article 34. Everything runs in your browser.
When does the 72-hour clock start?
From when the controller becomes "aware" of the breach — the point at which you have a reasonable degree of certainty that a security incident has compromised personal data — NOT from when the breach happened or was first detected. (EDPB Guidelines 9/2022.) If you are a processor, your duty under Article 33(2) is to notify the controller "without undue delay"; the controller's 72-hour clock then starts when they become aware.
Is the 72 hours counted in calendar hours or working hours?
Calendar hours. The 72 hours run continuously and include weekends and public holidays — the GDPR speaks in hours, not business days. The only adjustment is at the end: under Regulation (EEC, Euratom) No 1182/71 (referenced by the EDPB), if the deadline expires on a Saturday, Sunday, or public holiday, it is extended to the end of the next working day. breach72 shows both the strict 72-hour point and that extended date.
Can I really rely on the weekend extension?
Treat it with caution. The strict, safe reading is to notify within 72 continuous hours — Article 33 says "without undue delay and, where feasible, not later than 72 hours". The Regulation 1182/71 extension to the next working day is a recognised interpretation for when the deadline lands on a non-working day, but practice can vary by supervisory authority, and you must know which national public holidays apply. Use the extended date as a fallback, not a plan, and document your reasoning.
When do I also have to tell the affected people (Article 34)?
When the breach is "likely to result in a high risk to the rights and freedoms of natural persons", you must communicate it to the affected data subjects "without undue delay" — there is no fixed 72-hour figure for this. Article 34(3) lists exceptions: (a) the data was protected, e.g. strong encryption that makes it unintelligible; (b) you have taken later measures so the high risk is no longer likely; or (c) it would involve disproportionate effort, in which case you make a public communication instead. breach72 surfaces this as a decision aid, not an automated answer.
What if I have already missed the 72 hours?
Notify the supervisory authority immediately anyway. Article 33(1) expressly allows late notification provided it is "accompanied by reasons for the delay". A late notification is far better than none. breach72 will show how long ago the deadline passed so you can document it.
Does this handle my country's public holidays?
It handles weekends automatically. Public holidays differ by Member State and even by region, so breach72 does not assume them — it flags that a national public holiday could extend the deadline further and that you should check your supervisory authority's calendar. The safe course is to anchor on the strict 72-hour point.
Is this legal advice? Is my data private?
No — breach72 is an informational timer that applies published rules to a date you enter. It is not legal advice and is not affiliated with any supervisory authority or the EU. For an actual breach, involve your DPO and qualified counsel. On privacy: this is a static page; your timestamp is processed entirely in your browser, never uploaded, and nothing is logged.