v1.0 · 08 June 2026 · EDPB template data breach notification form

DataLaws.net - EDPB data breach notification form

This form is an example based on the EDPB's template for personal data breach notification (version 1.0, public consultation ongoing). It is meant as an illustration, but can hopefully be of some use to visualise what works and what does not. [If you wish to use it with actual data, the tool is a self-contained HTML file, so no data ever leaves your own device.] Note that the sidebar is entirely made-up and not included in the EDPB's template, but it is in my view a better way of keeping this viable. If you spot any inaccuracies, please reach out to Peter Craddock.

1. Information on the personal data breach notification

1.1 Type of notification *

?Indicate here if you notifying a new data breach or if you are amending a previous notification

a) New Notification b) Follow-Up Notification

Sub-type of notification *

?Indicate here if you provide a complete notification, amend a preliminary (incomplete) notification or provide preliminary (incomplete) information to be amended. Complete (all required information can be provided) Incomplete (not all information can be provided right now) Withdraw (Cancel a previous Notification; e.g. duplicate, no risk after initial assessment)

a) Complete b) Incomplete c) Withdraw

Reasons for withdrawing *

ID of previously notified breach *

?Please provide the ID of the previous personal data breach your are completing or amending.

Data controller's internal reference number

?Provide your internal reference number if any

2. Identification of the data controller and reporting person

Is Data Controller established in the EEA? *

Yes No

2.1 Type of Identifier

a) CompanyID b) Org number c) VAT

Identifier Value

Name of the organisation *

Contact details *

Sector

a) Private b) Public

Type of organisation

?If you consider your organisation not fitting in those four categories, please select “Others” and specify how

a) Freelance / Micro b) SME c) Large d) Others

Further description of organisation type

Classification of economic activity (NACE)

?Select applicable classification sectors

Name of representative in EEA *

Contact details of representative *

2.2 Name of the reporting person *

Contact details *

Function of the reporting person *

a) DPO b) Legal representative c) Authorised rep or other

Description of the function *

Accuracy & Responsibility *

[EDPB to specify text, likely something like this:] I represent and warrant that the information provided is accurate and that I (or my organisation) may be liable for any such information [+ information from authority about how personal data of the reporting person + DPO are processed]

2.3 Is a DPO designated? *

Yes No

Name of the DPO *

Contact details *

More information about incident obtained at:

a) DPO b) Reporting person c) Other (please specify)

Name of contact person *

Function of contact person *

Contact details *

2.4 Are other parties (processors/joint controllers) involved? *

?Indicate here if other organisations were involved in the data breach (for example a data processor, a joint controller, etc.)

Yes No

Qualification of involved party *

?Specify role (Data Processor, Joint Controller or Other)

Name of the involved party *

Contact details *

3. Initial information on the personal data breach

3.1 When did the personal data breach occur? *

?If you do not know the dates precisely, please indicate the estimated dates below

a) On a specific day b) From a date to a date c) From a date and is still ongoing d) Cannot be determined e) To be determined

Only estimated dates are possible

Check this box if you do not know the dates precisely.

Beginning date and time *

Ending date and time *

Date and time of awareness *

Reasons for late notification *

How was the personal data breach discovered? *

a) Detection by data controller b) Detection by data processor c) Communication by data subject d) Communication by external party e) Press news f) Other

Further description of discovery *

?Please describe how the personal data breach was discovered, e.g., Malware or Intrusions detecion system, Coordinated Vulnerability Disclosure, …

Date of notification by other party *

Further comments on timeline

?Please provide an overview over relevant events and other issues regarding the timeline (if applicable), such as, the duration of impacts on availability, integrity and confidentiality, the awareness date of the processor, etc. Please indicated how you estimated the dates of the breach (if applicable)

3.2 Nature of the personal data breach (Multi-Choice) *

a) Confidentiality breach b) Integrity breach c) Availability breach

Additional explanations:
a) Confidentiality breach - where there is an unauthorised or accidental disclosure of, or access to, personal data.
b) Integrity breach - where there is an unauthorised or accidental alteration of personal data.
c) Availability breach - where there is an accidental or unauthorised loss of access to, or destruction of, personal data.

Type of confidentiality breach *

a) Exfiltrated or disclosed b) Likely exfiltrated c) Not exfiltrated d) Not possible to assess e) To be determined

Was data unintelligible / protected? *

?If you answered d), please specify why the assessment is not possible (e.g. technical reasons)

a) Yes, protection intact b) Measures likely subverted c) No d) Not possible to assess e) To be determined

Additional explanations:
a) Yes and protection is still intact (e.g. data was securely encrypted or otherwise protected)
b) Protective measures had been taken, but it is likely that they could be subverted (e.g. because the unauthorised party could be able to use decryption keys or exploit a technical weakness in the measures that have been applied)

Type of integrity breach *

a) Modified, no wrongful use b) Modified, wrongful use, reversible c) Modified, wrongful use, irreversible

a) Alteration or modification of the data, with no evidence of illegal or wrong use
b) Alteration or modification of the data, with evidence of illegal or wrong use, but with the possibility of reversing/recovering the damages to data subjects
c) Alteration or modification of the data with evidence of illegal or wrong use, without the possibility of reversing/recovering damages to the data subjects

Type of availability breach *

?Please assess the availability issue form the data subject’s perspective

a) Temporary availability issue b) Permanent availability issue c) Not determined

Nature of the incident (Multi-Choice) *

a) Abuse of access privileges by employee b) Encrypted device / ransomware c) Hacking / malware activity detected d) Phishing / social engineering e) Security vulnerability (likely) exploited f) Unauthorised access to personal data in IT systems g) Data exfiltration / unauthorised extraction h) Data of wrong data subject shown i) Device lost or stolen j) E-waste (data on obsolete device) k) Incorrect disposal of personal data on paper l) Mail lost or opened / misdelivery m) Misconfiguration n) Incorrect access permissions o) Paper lost or stolen or left in insecure location p) Personal data deleted/destroyed q) Personal data displayed to wrong recipient r) Personal data sent by mistake s) Sending email without blind copy t) Technical malfunction u) Unauthorised data modification v) Unintended publication w) Verbal unauthorised disclosure x) to be determined y) Other

Cause of the personal data breach *

a) Internal non malicious b) Internal malicious c) External non malicious d) External malicious e) To be determined f) Unknown

Further description of the nature *

?Please describe the nature of the breach (detection, awareness, cause, measures in place) shortly and provide on what facts your decision is grounded. If possible indicate the root cause of the incident.

Description of systems, software, infrastructures *

?Please list the descriptions them in semantic groups, e.g. Systems: • production database : o client database (full/partial) that countains ****, located in *** o internal HR database (full/partial) that countains ****, located in *** • test infrastucture o testing database (full/partial) that countains ****; located in *** Software: • Accounting software • Payment system software

3.3 Categories of concerned data subjects (Multi-Choice) *

?If you answered i), please indicate what kind of vulnerable people. If you are not sure if or how the concerned data subject are vulnerable, please describe them shortly and why you would consider them as vulnerable.

a) Customers (current and prospects) b) Employees (former, current and candidates) c) Military or law enforcement staff d) Minors e) Patients f) Students g) Subscribers h) Users i) Vulnerable individuals j) Additional concerned data subjects k) Not yet known

Further description of categories *

Data subjects concerned by breach *

a) Exact number b) Approximate number c) Cannot be determined d) To be determined

Number of data subjects *

3.4 Type of breached data (Multi-Choice) *

a) Basic data (e.g. name, surname, DOB) b) Contact details c) Biometric data d) Criminal convictions, offence e) Data revealing political opinions f) Data revealing racial or ethnic origin g) Data revealing religious or philosophical beliefs h) Data revealing sex life or sexual orientation i) Data revealing trade union membership j) Genetic data k) Health data l) Economic and financial data m) Employment related health data n) Identification data o) Location data p) Official documents q) Payment methods r) Profile data s) User credentials t) Not yet known u) Additional data types

Further description of breached data *

Personal data records concerned *

?Please specify the type of record: number of data about each concerned data subject. For instance, to avoid just mentionning “500”. Because “5 types of data (namely ,,,,,) about 100 people” and “100 types of data (namely ,,,,*) about 5 people” may not lead to the same risks assessment, even if it could both be sumed up to “500 records”.

a) Exact number b) Approximate number c) Cannot be determined d) To be determined

Number of records *

?Please indicate here the number of records concerned by the breach, meaning the number of single entries in the database concerned by the breach

3.5 Relevant measures in place (Multi-Choice) *

?This list is not exhaustive and just covers common measures. You may have not applied some measures because they were not applicables or useful. At the same time, you may have applied non-listed measures that were useful. If so, please specify them with the answer to the next questions.

a) Pseudonymisation b) Backup / Recovery plan c) Data encryption d) Data protection and information security policies e) Data protection and security training f) Incident log g) Levels of access to data h) Logical access control (e.g. MFA) i) Periodic audits j) Physical access control k) Up-to-date IT systems l) Other measures

Further description of relevant measures *

4. Further information on the personal data breach

4.1 Likely consequences (Confidentiality) (Multi-Choice) *

a) Disclosed beyond scope b) Data may be linked c) Used for other purposes d) Other e) Under assessment

Additional explanations:
a) Data were disclosed beyond the scope of the privacy policy or relevant legislation
b) Data may be linked, without unreasonable effort, with other information regarding data subjects
c) Data may be used for purposes other than the intended purpose or unlawfully

Description of "other" (Confidentiality) *

Likely consequences (Integrity) (Multi-Choice) *

a) Modified and used b) Modified into valid data c) Other d) Under assessment

Additional explanations:
a) Data may have been modified and used even though it is no longer valid
b) Data may have been modified into otherwise valid data and subsequently used for other purposes

Description of "other" (Integrity) *

Likely consequences (Availability) (Multi-Choice) *

a) Inability to access services b) Service disruptions and difficulties in service use c) Other d) Under assessment

Description of "other" (Availability) *

Nature of the potential impact for the data subject (Multi) *

?Please indicate here the nature of the impact on the data subject rights and freedoms.

a) Loss of control of their personal data b) Limitation of their rights c) Discrimination d) Identity theft or usurpation e) Fraud f) Financial loss g) Unauthorised reversal of pseudonymisation h) Damage to reputation i) Loss of confidentiality (prof. secrecy) j) Disclosure to unauthorised third parties k) Significant economic or social disadvantage l) Physical or mental harm m) Material or non-material damage to property n) Other impact o) To be determined

Further description of other impacts *

Severity of potential impacts *

?Indicate here the result of your self-assessment of the severity of the impact of the breach for the data subjects. Please select the highest severity if multiple potential impacts can occur.

a) Minor b) Moderate c) Severe d) To be determined

4.2 Outcome of risk assessment *

a) High risk b) (Not high) risk c) Unlikely to result in risk d) Additional info needed

Additional explanations:
a) The personal data breach is likely to result in a high risk to the rights and freedoms of natural persons
b) The personal data breach is likely to result in a (not high) risk to the rights and freedoms of natural persons
c) The personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
d) Additional information is needed to assess the risk to the rights and freedoms of natural persons

Further description of risk assessment *

?Please describe the methodology used and the relevant factors you put into account.

4.3 Measures taken to address/mitigate *

?Please indicate to what extend the measures resolve the issue.

4.4 Relevant measures taken to prevent similar incidents (Multi) *

a) Anonymisation b) Backup / Recovery plan c) Change of processes d) Data encryption e) Data protection and information security policies f) Data protection and security training g) Erasure of the data h) Incident log i) Levels of access to data j) Logical access control (e.g. MFA) k) Periodic audits l) Physical access control m) Pseudonymisation n) Up-to-date IT systems o) Other measures

Further description of permanent measures *

5. Communication to the data subjects

Has the breach been communicated to data subjects? *

a) Yes b) No, future date b1) No, date TBD c) No, investigation ongoing d) No, unlikely high risk e) No, Article 34(3) met

Additional explanations:
a) Yes
b) No, but it will be communicated at a later date
c) No, the investigation is still ongoing
d) No, it will not be communicated since the personal data breach is unlikely to result in a high risk to the rights and freedoms of natural persons
e) No, it will not be communicated since one of the conditions referred to in article 34(3) of the GDPR is met

Date information was given *

Future date *

Article 34(3) conditions met *

a) Protection measures applied

The controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.

b) Subsequent measures taken

The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise.

c) Disproportionate effort

It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Further description why 34(3) met *

Number of data subjects informed *

a) All informed b) Not all informed

Further description why not all informed *

?Please specify the reason why some data subjects have not been informed, e.g. some might not have been because reason A, some other because reason B, etc. Reasons can be of various natures and not just the technical ones have to be considered: ongoing process, some data subjects cannot be reached the same way, additionnal laws apply to them, the cost of information is much higher, etc

Means of communication *

a) Individual communication (letter/email/personal communication) b) Public announcement (website/press release/social network) c) Other

Further description of other means

Content of information provided *

?Please provide this content in the most relevant way. For example, if the provided information is just an email with only plaintext, copying the text here is sufficent. If, for instance, your information contains pictures/videos useful for understanding, please provide the means for the data protection authority to consult it (website page, email screenshots, download page, etc.)

6. Possible other issues

6.1 Reported to police/judicial authorities?

a) Yes b) No c) Unknown

Notified to other authorities or bodies?

a) Yes b) No c) Unknown

Further info on notifications *

?Please specify which authority (about data protection or not) and if possible, provide the case ID that this authority used and then can be referred to.

6.2 Involves cross-border processing (EEA Controller)

Does the breach involve cross-border processing? *

a) Yes b) No c) Unknown

Lead Supervisory Authority *

List of EEA countries (Establishment) *

List of EEA countries (Data Subjects) *

Approximate number of DS per country *

List of EEA SAs notified *

6.3 Involves processing at non-EU establishments

Does breach involve processing by non-EEA controller? *

a) Yes b) No c) Unknown

List of EEA countries (Data Subjects) *

Approximate number of DS per country *

List of SAs notified *

7. Attachments

Please identify the attachments to this notification

a) Dated copy of the communication to the datasubject b) Dated copy of the risk-assessment c) Dated copy of the research report into the data breach (cyberincidents) d) Dated copy of the ransomware-note e) Dated copy of the phishing-message

with regard to phishing there needs to be a split-up of communications, namely, 3 categories:
- The owner, datasubject of the mailbox
- Data subjects that received a phishing-mail
- Data subjects of which personal data was in the compromised mailbox

f) Dated copy of the internal procedure to notify a data breach g) Dated copy of the internal policy to delete/destroy (outdated) personal data h) Dated copy of the communication to the wrong recipients i) Dated copy of the external notification/message of the data breach j) Other

Other attachments *

Required Information Missing