EDPB Adopts Common Data Breach Notification Template, Streamlining GDPR Article 33 Reporting Across the EU

The European Data Protection Board (EDPB), the body that coordinates how the General Data Protection Regulation is applied across the European Union, has adopted a common template for notifying personal data breaches to national supervisory authorities. The decision came alongside a meeting between EDPB representatives and EU Commissioner for Democracy, Justice, and the Rule of Law Michael McGrath, where the two sides discussed enforcement consistency and the practical burdens facing organizations that operate in more than one member state.

For compliance teams, the headline is straightforward: there will now be a standardized form for the breach reports that GDPR has required since 2018. What changes is not the legal obligation itself but the mechanics of meeting it.

What the regulation already requires

The underlying duty comes from Article 33 of the GDPR. When a controller becomes aware of a personal data breach, it must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. If notification happens later than 72 hours, the controller must explain the reasons for the delay.

The notification must describe, at minimum, the nature of the breach (including the categories and approximate number of data subjects and records affected), the name and contact details of the data protection officer or other contact point, the likely consequences of the breach, and the measures taken or proposed to address it. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, Article 34 adds a separate obligation to communicate the breach to the affected individuals directly.

Processors carry a related duty: under Article 33(2), a processor that becomes aware of a breach must notify the controller without undue delay, since the controller is the party responsible for reporting to the authority.

The problem the template solves

Until now, each of the EU and EEA supervisory authorities maintained its own notification form. A company that suffered a single incident touching residents in several countries could find itself filling out structurally different forms, in different formats, asking for the same information in different ways, sometimes in different languages, and with different field requirements. For organizations relying on the one-stop-shop mechanism, where a lead supervisory authority coordinates cross-border cases, the divergence in front-end forms added friction even when the legal process behind them was meant to be unified.

The common template is designed to remove that divergence. By giving controllers a single structure to populate, the EDPB intends to make the 72-hour window more workable in practice and to produce reports that are more comparable across jurisdictions. Comparable data also helps regulators, who can aggregate and analyze breach trends more reliably when the inputs follow the same schema.

What compliance teams should do

The practical work here is preparation, not panic. A few concrete steps follow from the change.

First, review your incident response runbook against the fields in the common template once your lead authority publishes its implementation. If your internal breach intake form collects different data points or labels them differently, align them now so that responders are not translating information under time pressure during an actual incident.

Second, confirm where you would file. The template standardizes the form, not the question of which authority is competent. Organizations with a main establishment in the EU should continue to identify their lead supervisory authority; those without an EU establishment may need to notify in each affected member state, and the harmonized form makes that multi-filing scenario less labor-intensive.

Third, revisit your processor contracts. Article 28 data processing agreements should already require processors to report breaches to you promptly and with enough detail to populate a regulatory notification. With a defined template, you can specify precisely which fields a processor must supply, shortening the gap between a processor noticing an incident and you being able to file.

Fourth, rehearse the timeline. The 72-hour clock starts when the controller becomes aware of the breach, which the EDPB has interpreted as the point at which the controller has a reasonable degree of certainty that a security incident compromising personal data has occurred. A tabletop exercise that walks from detection to filed notification will tell you whether your current process fits inside that window.

Timeline and what comes next

The adoption of the template is the EDPB acting in its coordinating role; national supervisory authorities will be the bodies that put the form into use through their own reporting portals. Compliance teams should watch for announcements from their lead authority describing when the common template becomes the accepted or required format and whether existing national forms will be phased out. The sensible posture is to treat the harmonized fields as the baseline your incident response process should already satisfy, regardless of the exact date each authority switches over.

The McGrath meeting signals that breach reporting and consistent enforcement remain priorities at the Commission level, which suggests further coordination work rather than a one-off. Organizations that maintain a current data processing inventory, a tested incident response plan, and clear processor reporting obligations will absorb this change with little disruption. Those treating breach notification as an ad hoc exercise should use the template's arrival as the prompt to formalize the process before they need it.

The EDPB publishes its adopted documents and guidance on its official website, which is the authoritative source for the final template text and any accompanying guidance on its use.