How to Handle a GDPR Data Breach as a Business in Spain: The 72-Hour Rule Explained

A customer spreadsheet lands in the wrong inbox. A laptop vanishes on a commuter train. A cloud folder containing invoices gets accidentally set to public. A ransomware alert appears on your screen at 4:30 on a Friday afternoon.

Your first instinct is to call IT. But under GDPR, the moment your business becomes aware that personal data may have been compromised, you are no longer dealing with a technical incident. You may already be inside a legal deadline.

For businesses operating in Spain, the urgent questions are not just "what happened?" and "how do we fix it?" They are: Has personal data been affected? Has the 72-hour clock started? Do we need to notify the AEPD?

This guide walks you through what counts as a GDPR personal data breach, when the 72-hour rule applies, what to tell the AEPD, when affected individuals must be informed, and what to document even if formal notification is not required. For broader context on your obligations as a business, see our guide on EU GDPR compliance for businesses.

A GDPR Breach Can Start With Something Ordinary

Most people picture a GDPR data breach as a dramatic cyberattack — masked hackers, stolen databases, breaking news. The reality is far more mundane, and that is exactly what makes it so easy to miss.

A GDPR personal data breach begins the moment personal data is lost, exposed, altered, destroyed, accessed without authorisation, or made unavailable — even if no criminal is involved and no data has been published anywhere online.

Common examples that trigger GDPR breach obligations include:

• An email containing a customer list sent to the wrong recipient
• A work laptop or mobile device lost or stolen
• A cloud folder or shared drive made publicly accessible by mistake
• A ransomware attack that locks access to employee or customer records
• Accidental deletion of files with no backup
• An employee accessing records they are not authorised to view
• A vendor or processor notifying you that their systems — which hold your data — have been compromised

The question is not whether the breach looks serious at first glance. The question is whether personal data has been affected.

What Counts as a Personal Data Breach Under GDPR?

Under GDPR Article 4(12), a personal data breach is defined as a security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.

In plain terms, a breach is not just a hack or a leak. It covers any situation in which personal data is compromised — including internal mistakes, system failures, and vendor incidents.

Personal data in this context includes names, email addresses, phone numbers, national identity numbers, addresses, employee records, customer records, health information, financial data, login credentials, and any other information that can identify a living individual.

Confidentiality Breaches

A confidentiality breach happens when personal data is disclosed to or accessed by someone who should not see it. Examples include a customer file emailed to the wrong person, an employee viewing records outside their authorisation, a database exposed online, or a stolen device containing readable personal data.

Integrity Breaches

An integrity breach happens when personal data is changed, corrupted, or altered without authorisation. This might look like payroll records incorrectly modified, customer account details altered by an attacker, or employee files corrupted by a system error.

Availability Breaches

An availability breach happens when personal data becomes unavailable, lost, or destroyed. Ransomware blocking access to customer records, data deleted without a backup, or a system outage preventing access to essential employee files — all of these qualify.

A ransomware attack can be a GDPR breach even if no data is published publicly, because the availability of personal data has been affected.

Data Breach vs Data Leak: What Is the Difference?

These two terms are often used interchangeably, but they mean different things under GDPR — and the distinction matters.

A data leak usually refers to personal data being exposed, disclosed, or made accessible to unauthorised parties — typically through a technical vulnerability or human error.

A GDPR personal data breach is broader. It covers leaks, but also loss, destruction, alteration, unauthorised access, and unavailability of personal data.

Every data leak involving personal data may be a GDPR breach, but not every GDPR breach is a public data leak.

A file deleted by mistake with no backup is a breach. A laptop lost with encrypted data may also need to be assessed. Neither involves a public exposure, but both can still fall within your GDPR obligations.

The 72-Hour Rule: When Spanish Businesses Must Notify the AEPD

Under GDPR Article 33, a controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach — unless that breach is unlikely to result in a risk to the rights and freedoms of individuals.

For businesses based in Spain, the competent supervisory authority is the AEPD — Agencia Española de Protección de Datos.

The 72-hour rule does not mean every technical incident must be reported. It means every personal data breach must be assessed quickly to determine whether notification is required.

When the 72-Hour Clock Starts

Here is the part that catches most businesses off guard: the clock does not start from the moment the attack or incident occurred. It starts from the moment the business becomes aware that a security incident has taken place and that personal data has likely been affected.

If IT receives a vague alert about unusual system activity, a short verification period is reasonable. But as soon as the business has reasonable certainty that personal data was accessed, disclosed, lost, altered, or made unavailable, the 72-hour window has begun.

What "Becoming Aware" Means in Practice

The European Data Protection Board's Guidelines 9/2022 on personal data breach notification clarify that awareness generally exists when the controller has a reasonable degree of certainty that a security incident has occurred and that personal data has been compromised.

In practice, this means your business may be considered aware when:

• A wrong-recipient email has been confirmed
• A lost device is confirmed to have contained personal data
• An exposed cloud folder is found to have included customer or employee records
• Ransomware has blocked access to systems holding personal data
• A vendor confirms that records processed on your behalf were affected

Waiting for a full forensic investigation is not a valid reason to ignore the 72-hour deadline.

What Happens If You Notify Late?

If the 72-hour window passes before notification is submitted, the notification should include a clear explanation of the reasons for the delay. The AEPD accepts this — but failing to notify at all, or failing to explain the delay, can make the regulatory situation significantly worse.

It is also worth noting that businesses can submit an initial notification with available information and follow up with additional details as the investigation continues. You do not need complete facts to start the process. For more on the consequences of failing to act, see our guide on what Happens if you Get a GDPR fine in Spain.

Does Every GDPR Breach Need to Be Reported to the AEPD?

No — but every breach must be assessed, and every breach must be documented. The obligation to notify depends on the level of risk the breach creates for the individuals whose data has been affected.

To put this in context with examples:

• Low risk: An encrypted laptop is lost. The device is protected by a strong password, and no access credentials are stored on it. Documentation is required; AEPD notification may not be.
• Risk: A customer spreadsheet is sent to an unauthorised recipient. The data is readable, identifiable, and disclosure has occurred. AEPD notification is likely required.
• High risk: Health records, banking details, identity documents, or login credentials are exposed. Both AEPD notification and direct communication with affected individuals are required.

What Information Must Be Included in an AEPD Breach Notification?

The AEPD's breach notification process requires controllers to provide specific information when reporting an incident. Your notification should include:

• The nature of the personal data breach
• Categories of affected individuals (customers, employees, patients, etc.)
• Approximate number of affected individuals
• Categories and approximate number of affected records
• Name and contact details of your DPO or designated privacy contact
• The likely consequences of the breach
• Measures already taken to address the breach
• Measures proposed to reduce possible harm to affected individuals
• Whether affected individuals have been or will be notified

If all facts are not available within 72 hours, do not automatically delay. Notify with the information you have, then provide updates as your investigation continues.

When Must Affected Individuals Be Told?

Notifying the AEPD and notifying affected individuals are two separate obligations with different thresholds. It is important not to confuse them.

AEPD notification means telling the supervisory authority that a breach has occurred.

Individual communication means telling the people whose personal data may have been put at high risk.

Under GDPR Article 34, affected individuals must be notified without undue delay when a breach is likely to result in a high risk to their rights and freedoms. High-risk situations typically involve:

• Identity document data exposed
• Banking or payment details compromised
• Health data affected
• Login credentials disclosed
• Sensitive HR data accessed without authorisation
• Data that could lead to fraud, discrimination, financial loss, or serious reputational harm

What the Communication Should Include

When individual notification is required, the message should be clear, factual, and practically useful — not vague, defensive, or full of legal language. It should cover:

• What happened and when it was discovered
• What personal data may have been affected
• The possible consequences for the individual
• What the business is doing to address the situation
• What steps the individual can take to protect themselves
• Contact details for the DPO or privacy contact point

When Individual Notification May Not Be Required

Article 34 of the GDPR confirms that individual communication may not be required where:

• The data was encrypted or otherwise rendered unintelligible to unauthorised parties
• The business subsequently took measures ensuring the high risk is no longer likely to materialise
• Direct communication would involve disproportionate effort — in which case a public communication or equivalent measure may be used instead

Do not assume customer notification is unnecessary simply because you have already notified the AEPD. The high-risk threshold must be assessed separately and independently.

Controller vs Processor: Who Must Notify Whom?

Many Spanish businesses rely on third-party tools and providers to handle personal data on their behalf. Understanding who is responsible for breach notification in these situations is essential.

A controller is the entity that decides why and how personal data is processed — typically your business.

A processor processes personal data on behalf of the controller — a vendor, platform, or service provider.

Examples of processors your business may use include CRM providers, cloud hosting services, payroll platforms, email marketing tools, ecommerce platforms, managed IT providers, and external HR or accounting services.

The rule is straightforward: a processor must notify the controller without undue delay after becoming aware of a breach. It is then the controller — your business — that decides whether the AEPD and affected individuals need to be notified.

This is why processor contracts matter. Your agreements should clearly define how quickly a processor must notify you of a breach, what information they must provide, who investigates the incident, and how updates will be shared.

For context on how Spain's national law interacts with GDPR processor obligations, see our article on GDPR vs Spain's LOPDGDD.

What to Do in the First 72 Hours After Discovering a Breach

Speed matters, but panic does not help. Here is what your business should be doing hour by hour.

First 0–6 Hours: Contain and Confirm

Your immediate priority is to stop further damage and establish whether personal data has actually been affected.

• Activate your incident response team
• Contain the breach — revoke access, isolate systems, block accounts if necessary
• Preserve logs and evidence (do not delete or overwrite anything)
• Identify the affected systems and data
• Inform your DPO or designated privacy contact
• Contact the relevant processor or vendor if a third party is involved

First 6–24 Hours: Assess the Breach

Now it is time to move from technical response to GDPR risk assessment.

• Classify the breach: confidentiality, integrity, or availability
• Identify the categories of personal data involved
• Estimate the number of affected individuals and records
• Identify the groups affected — customers, employees, patients, users, suppliers
• Assess the likely risk to those individuals
• Make a preliminary decision on whether AEPD notification is required

First 24–48 Hours: Prepare the Notification

Do not wait for perfect information. Prepare to notify with what you have.

• Draft the AEPD notification using the information gathered
• Note any facts that are still unknown and plan to update later
• Prepare an internal management briefing
• Assess whether affected individuals need to be directly informed
• Draft a clear, plain-language communication for individuals if high risk is confirmed

First 48–72 Hours: Notify, Communicate, and Document

Meet the deadline and demonstrate accountability.

• Submit the AEPD notification if required, including reasons if delayed
• Notify affected individuals if high risk is confirmed
• Continue the investigation and preserve evidence
• Record all decisions and actions taken
• Plan follow-up updates to the AEPD where new information becomes available
• Begin remedial measures to prevent recurrence

What to Document Even If You Do Not Notify the AEPD

Even when a breach does not meet the threshold for AEPD notification, GDPR accountability requires you to document it. Your internal breach register should capture:

• Date and time the breach was detected
• Date and time the business became aware
• Who first reported the incident
• Description of what happened
• Systems and data categories affected
• Approximate number of affected individuals
• Breach classification: confidentiality, integrity, or availability
• Risk assessment and outcome
• Decision on AEPD notification and reasons
• Decision on individual notification and reasons
• Actions taken and evidence preserved
• Lessons learned and measures implemented to prevent recurrence

If your business decides not to notify the AEPD, the reasoning should be clearly documented. This is your evidence of accountability if the decision is ever questioned.

Common GDPR Breach Response Mistakes to Avoid

Mistake 1: Waiting for a Full Investigation Before Acting

Notification can be submitted in phases. Do not delay an initial notification while waiting for a forensic report that may take weeks.

Mistake 2: Assuming Only Cyberattacks Count

Wrong emails, lost devices, accidental deletion, and data unavailability are all potential GDPR breaches, regardless of whether any criminal intent was involved.

Mistake 3: Forgetting Availability Breaches

Ransomware that blocks access to personal data can trigger GDPR obligations even if no data is ever published. Access denial is enough.

Mistake 4: Not Documenting Non-Reportable Incidents

Low-risk incidents still need to go into your breach register. Every incident should be assessed and logged, even when AEPD notification is not required.

Mistake 5: Letting Vendors Respond Too Slowly

Your processor contracts should specify fast breach-notification obligations. A vendor that takes a week to tell you about a breach can cost your business the 72-hour window.

Mistake 6: Confusing AEPD Notification With Individual Notification

These are separate duties with different thresholds. Notifying the AEPD does not mean you have automatically fulfilled your obligation to affected individuals.

Mistake 7: Sending Vague or Panicked Communications

Affected individuals need calm, clear, actionable information. A poorly drafted notification can erode trust faster than the breach itself.

GDPR Data Breach Response Checklist for Spanish Businesses

Use this as your immediate reference when a potential breach is discovered:

• Confirm whether personal data is involved
• Contain the incident immediately and preserve evidence
• Inform the DPO or designated privacy contact
• Classify the breach: confidentiality, integrity, or availability
• Identify the categories of personal data affected
• Estimate the number of affected individuals and records
• Assess the risk level to individuals
• Decide whether AEPD notification is required
• Prepare and submit the AEPD notification within 72 hours if required
• Assess whether affected individuals must be informed directly
• Send clear, plain-language communication if high risk exists
• Record all decisions and actions in your breach register
• Update the AEPD if additional information becomes available
• Implement corrective measures and document lessons learned
• Review your breach response plan and close procedural gaps

How to Reduce GDPR Breach Risk Before an Incident

The businesses that handle breaches well are rarely the ones that improvise under pressure. They are the ones that prepared before anything went wrong.

GDPR breach readiness means having the right processes, controls, and documentation in place before the 72-hour clock ever starts. That includes:

• A documented breach response plan with clear roles and escalation paths
• Staff training on how to recognise and report a potential breach
• A named DPO or privacy contact who can be reached quickly
• Processor contracts with explicit breach notification timeframes
• Access controls and least-privilege permissions across all systems
• Encryption on laptops, mobile devices, and files containing personal data
• Multi-factor authentication on accounts with access to personal data
• Secure, tested backups and a documented restoration process
• Data minimisation — only hold personal data that is actually needed
• Clear retention and deletion rules
• Logging and monitoring that supports early breach detection
• A breach register template ready to use at the moment of discovery

The best time to build a breach response process is before the 72-hour clock starts.

Build Breach Readiness Before the Clock Starts

A breach response plan should not be written during a crisis. By the time a wrong email, a ransomware alert, a vendor breach, or an exposed database is discovered, the process needs to already be in place.

The EU GDPR Compliance and Data Protection for Businesses course from Spanish Compliance Institute helps professionals understand GDPR duties, breach response, documentation, processor management, DPIAs, and Spain-specific compliance expectations — so that when a breach happens, your team knows exactly what to do and can demonstrate it. 

References

• GDPR Article 4(12) — Definition of personal data breach: https://gdpr-info.eu/art-4-gdpr/
• GDPR Article 33 — Notification of a personal data breach to the supervisory authority: https://gdpr-info.eu/art-33-gdpr/
• GDPR Article 34 — Communication of a personal data breach to the data subject: https://gdpr-info.eu/art-34-gdpr/
• EDPB Guidelines 9/2022 on personal data breach notification under GDPR: https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf
• AEPD — Notification of a personal data breach to the supervisory authority: https://www.aepd.es/en/rights-and-duties/fulfill-your-duties/measures-compliance/notification-of-personal-data-breach-to-the-supervisory-authority
• GDPR Article 34 — AEPD individual communication guidance: https://gdpr-info.eu/art-34-gdpr/