Does an AI incident count as a personal data breach?

Yes, if it leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Prompt logs leaking customer data, a misconfigured vector store, or a model trained on data it should not have all qualify.

Do I always have to notify the authority?

No. Notification to the supervisory authority is not required if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. You must still document every breach internally under Article 33(5), including ones you decide not to report.

When must I also tell the affected individuals?

Article 34 requires you to inform data subjects directly when the breach is likely to result in a high risk to their rights and freedoms — for example exposure of health data, financial details, or credentials that could enable fraud.

Is this template legal advice?

No. It is a structured starting point that mirrors the Article 33 information requirements. Breach assessment and reporting decisions should be reviewed by your Data Protection Officer or qualified legal counsel.

AI Data Breach Notification Template

Q: What is the GDPR 72-hour rule?

Under Article 33, a controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. If notification is later than 72 hours it must be accompanied by reasons for the delay.

AI data breach notification template

When an AI system leaks or mishandles personal data, the GDPR clock starts the moment you become aware. Article 33 requires controllers to notify the competent supervisory authority without undue delay and, where feasible, within 72 hours. This tool assembles a complete notification covering every element the regulation asks for — the nature of the breach, the categories and approximate number of data subjects and records, the likely consequences, and the measures taken — so you can move fast under pressure.

How it works

You describe the incident, the data categories involved, an estimate of how many people are affected, and the steps you have already taken to contain it. The tool maps your answers onto the structure of an Article 33 notification: identification of the controller and DPO, a factual description of the breach and its timeline, the data categories and approximate counts, the likely consequences for individuals, and the mitigation measures. Everything runs in your browser — no incident details are sent anywhere.

Tips and notes

Notify even if details are incomplete. Article 33 explicitly allows phased reporting; send what you know within 72 hours and supplement later.
Document the “no-notify” decision too. If you conclude the breach is low risk, keep your reasoning — Article 33(5) requires an internal record of every breach.
Separate the Article 34 question. Notifying the authority and notifying affected individuals are distinct duties with different thresholds.
Have it reviewed. This is a drafting aid, not legal advice — your DPO or counsel signs off before anything leaves the building.