GDPRIQ

⏱️ Breach Notification Deadline Calculator

Enter when you became aware of a personal-data breach and the current time to see your Article 33 72-hour notification deadline and exactly how long is left to report it.

Informational only — NOT legal advice. Consult a qualified data-protection lawyer or your supervisory authority; regulations vary by jurisdiction and change over time.

🧮 Count down the 72 hours

Times are treated as UTC.

⏱️ 72-hour notification deadline (Art. 33)

Notify the supervisory authority by
2026-07-07 09:00 UTC
Hours remaining
66h
Window
72 hours

The clock starts when you become awareof the breach — reasonably certain a security incident led to personal data being compromised. If you notify after 72 hours, you must give reasons for the delay. Where the breach is unlikely to risk individuals' rights, authority notification may not be required. Informational only — not legal advice.

What this calculator does

When a breach hits, the 72-hour window is easy to lose track of amid the response. This tool pins it down: give it the moment of awareness and it returns the exact deadline and a live-feeling countdown so the whole team is working to the same clock.

The hard part is usually deciding when awareness began — that judgement is yours to document. Everything downstream, from assembling the notification to informing affected individuals, hangs off it.

❓ Frequently Asked Questions

What is the 72-hour breach notification rule?

Under GDPR Article 33(1), a controller must notify the competent supervisory authority of a personal-data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. This calculator counts 72 hours forward from the awareness time you enter and shows the deadline and the time left. Informational only, not legal advice.

When does the clock start?

At the point of awareness — when you have a reasonable degree of certainty that a security incident has occurred and led to personal data being compromised. A brief period of investigation to establish whether a breach really happened is allowed, but the 72 hours run from awareness, not from when the incident first occurred.

What if I miss the 72 hours?

Notification after 72 hours is still required, but it must be accompanied by reasons for the delay. Also note that not every breach needs to be reported: if it is unlikely to result in a risk to the rights and freedoms of individuals, authority notification may not be required — though you must still document it. Where the risk is high, affected individuals must also be told.

Is this legal advice?

No. This tool is informational only and not legal advice. Whether and how to notify depends on the specific facts and your jurisdiction. Consult a qualified data-protection lawyer or your supervisory authority; rules and timescales vary and change over time.