EDPB adopts common template for GDPR data breach reports

The European Data Protection Board has adopted a common template for notifying personal data breaches under the General Data Protection Regulation.

Under Article 33 of the GDPR, organisations must notify the relevant data protection authority when a personal data breach is likely to create a risk for individuals. A breach can include the loss, theft, accidental disclosure, or unauthorised access to personal data.

The new template is intended to make these reports more consistent across EU Member States. It provides predefined fields and guidance so that organisations can structure notifications in a clearer and more comparable way.

The change is technical but practical. Organisations operating in several EU countries can face different national reporting formats, even though they are applying the same GDPR rule. A common template can reduce duplication and make compliance easier.

For data protection authorities, a shared format can also improve how breach reports are reviewed. It may help authorities compare incidents, identify missing information more quickly, and respond more consistently.

The template is designed to support breach notifications under Article 33. It does not change the legal duty to report a breach when the GDPR threshold is met.