Precedent corpus / EDPB (European Data Protection Board)
European Data Protection Board
EDPB (European Data Protection Board) case GL-09-2022, decided 2023-03-28. No monetary penalty (reprimand or guidance).
Regulator guidance (positive exemplar)
What the regulator decided
Under Article 33(1) GDPR the controller must notify the supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware of it". A controller is "considered to have become aware" once it has a "reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised", not at the moment of the underlying compromise.
Primary source
Regulator-owned URL. Quote this in legal briefs and academic citations.
https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdfArchived snapshot
Wayback Machine snapshot of the primary source. Use this when the regulator URL might be refactored or expire.
https://web.archive.org/web/20260506171220/https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdfConsentMark interpretation
Operator-readable note on how this case shapes the ConsentMark scanner narrative. Not a legal opinion; cites the primary source.
[Type: guidance] Non-enforcement guideline. Cite when the scanner narrative covers a delayed-notification finding - the EDPB's "reasonable degree of certainty" test is what supervisory authorities apply when computing whether the 72-hour clock was breached (compare DPC IN-19-4-1 Meta and ICO 23andMe-2025-06).
Verification trail
- Verified by
- donal
- Verified at
- 2026-05-27
- Review due
- 2026-11-27
Cite this case
Pick the format that matches where you are pasting. The methodology version is preserved in every variant so the citation stays verifiable after future methodology changes.
@misc{consentmark-precedent-edpb-gl-09-2022,
author = {{ConsentMark}},
year = {2023},
title = {EDPB (European Data Protection Board) GL-09-2022 - European Data Protection Board},
howpublished = {\url{https://www.consentmark.com/precedent/edpb-gl-09-2022}},
note = {ConsentMark methodology v1.3}
}ConsentMark. (2023, March 28). EDPB (European Data Protection Board) GL-09-2022 - European Data Protection Board. Methodology v1.3. https://www.consentmark.com/precedent/edpb-gl-09-2022[EDPB (European Data Protection Board) GL-09-2022 - European Data Protection Board - ConsentMark](https://www.consentmark.com/precedent/edpb-gl-09-2022)EDPB (European Data Protection Board) GL-09-2022 - European Data Protection Board - ConsentMark, 2023-03-28, methodology v1.3, https://www.consentmark.com/precedent/edpb-gl-09-2022