[Guidelines 09/2022 on personal data breach notification under GDPR] [Back to Flowcharts]

flowchart TD
    A["Controller detects/is made aware of security incident and establishes if personal data breach has occurred"] --> B
    B["Controller becomes 'aware' of personal data breach and assesses risk to individuals"] --> C
    C{"Is the breach likely to result in risk to individuals' rights and freedoms?"} 
    C -->|No| D["No requirement to notify supervisory authority or individuals"] --> F
    C -->|Yes| E["Notify competent supervisory authority. If breach affects individuals in more than one Member State, notify lead supervisory authority"] --> F
    C -->|Yes| G{"Is the breach likely to result in high risk to individuals' rights and freedoms?"}
    G -->|No| H["No requirement to notify individuals"] --> F
    G -->|Yes| I["Notify affected individuals and provide information on steps they can take to protect themselves"] --> F
    F["All breaches recordable under Article 33(5) GDPR. Breach should be documented and record maintained by controller"]
    
        style D fill:#2e5e4a
        style H fill:#2e5e4a
		    style E fill:#b66c29
		    style I fill:#be474a