Data Breach Notification (EDPB & Italy): 72‑hour Rule, Garante Portal Steps, Digital Signature and Penalties

Understanding data breach notification EDPB requirements is now a front-line compliance priority for every organisation that processes personal data in Italy. The European Data Protection Board’s Guidelines 9/2022 refined the interpretation of the 72‑hour rule under GDPR, while Italy’s Garante per la protezione dei dati personali operates a dedicated online portal, with its own digital-signature and attachment rules, through which every notification must be filed. With enforcement activity intensifying throughout 2025 and 2026, and sector-specific obligations adding further complexity for telecoms and financial services, in-house counsel and DPOs need a single, actionable playbook that maps EU-level guidance onto Italy’s procedural reality.

Quick 72‑Hour Checklist

If you only do one thing right now: start containment and open the Garante portal self-assessment.

1. Contain the incident. Isolate affected systems and preserve forensic evidence immediately.
2. Determine whether a personal data breach has occurred. Apply the GDPR definition: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
3. Assess risk to individuals’ rights and freedoms. If risk is not unlikely, you must notify the Garante.
4. File via the Garante data breach portal at servizi.gpdp.it/databreach/s/, within 72 hours of becoming aware.
5. Notify affected individuals without undue delay if the breach is likely to result in a high risk.
6. Document everything in your internal breach register, regardless of whether notification to the Garante is required.

Legal Framework: Article 33 & 34 GDPR and EDPB Guidelines 9/2022

The legal backbone of data breach notification EDPB guidance rests on two provisions of Regulation (EU) 2016/679 (GDPR). Article 33 obliges data controllers to notify the competent supervisory authority, in Italy, the Garante, without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Article 34 adds a parallel obligation to communicate the breach directly to affected data subjects when there is a likelihood of high risk.

EDPB Guidelines 9/2022: What Changed

The European Data Protection Board adopted Guidelines 9/2022 on personal data breach notification under the GDPR to provide a targeted update to earlier guidance. The guidelines clarify several practical points that matter for Italian compliance teams:

• Clock-start interpretation. A controller is considered to have become “aware” when it has a reasonable degree of certainty that a security incident has led to personal data being compromised, not merely when the IT department first detects anomalous traffic.
• Processors’ duties. Processors must notify the controller without undue delay after becoming aware of a breach, enabling the controller to meet the 72‑hour window.
• Cross-border cases. Where a breach affects data subjects in multiple Member States, the controller should notify the lead supervisory authority. The EDPB’s “one-stop-shop” mechanism applies, but Italy’s Garante remains the point of contact for controllers established in Italy.
• Practical examples. The guidelines include case-study scenarios, ransomware attacks, data exfiltration, lost devices, mis-sent emails, each with guidance on when notification to the DPA and to data subjects is required.

Together, Articles 33 and 34 of the GDPR and the EDPB’s interpretive guidance form the regulatory layer that every Italian data controller must operationalise. The Garante has explicitly adopted this framework and requires all notifications to be submitted via its online portal.

Timing Explained: The 72‑Hour Rule GDPR and When the Clock Starts

When Does “Awareness” Begin?

Under the EDPB’s interpretation, the 72‑hour clock starts ticking when the controller has a reasonable degree of certainty that a breach has occurred. A brief initial investigation to determine whether data was in fact compromised is permitted, but this period should not be used to delay notification artificially. The EDPB stresses that a controller cannot claim it was unaware simply because it failed to implement adequate detection measures.

In practice, this means that the moment an IT security team confirms, even provisionally, that personal data has been accessed, altered, disclosed or lost, the 72 hours begin to run.

What If 72 Hours Is Not Feasible?

Article 33(1) GDPR acknowledges that notification within 72 hours may not always be achievable. Where the deadline is exceeded, the controller must provide reasons for the delay alongside the notification itself. The EDPB guidance makes clear that this is an exception, not a routine extension. Repeated late filings may themselves constitute evidence of inadequate breach-response procedures and expose the controller to enforcement action.

A notification may also be made “in phases”: the controller submits an initial notification within the 72‑hour window containing the information available at that time, and then supplements it with additional details as the investigation progresses. The Garante portal supports this approach, controllers can update a previously submitted notification through the same portal interface.

Italy-Specific Procedure: Garante Data Breach Portal Walkthrough

Since 1 July 2021, the Garante has required all personal data breach notifications to be submitted exclusively through its dedicated online portal at servizi.gpdp.it/databreach/s/. The previous email- and PEC-based filing methods are no longer accepted. The portal’s workflow mirrors the Article 33 GDPR notification requirements while adding Italy-specific procedural steps.

Step 1, Self-Assessment

Before beginning the formal notification, the portal presents a self-assessment questionnaire. This guided tool asks the controller a series of questions about the nature and scope of the breach to help determine whether a notification to the Garante is actually required. Questions cover:

• The category of data involved (ordinary, special-category, criminal-offence data)
• The number of data subjects affected
• The type of breach (confidentiality, integrity, availability)
• Whether the data was encrypted or otherwise protected
• The likely consequences for individuals

The self-assessment is advisory, it does not bind the controller, but it provides useful documentation of the decision-making process. Industry observers note that completing and saving the self-assessment is a good-practice step even when the outcome suggests notification is not required, because it creates a contemporaneous record for the internal breach register.

Step 2, Completing the Notification Form

If notification is warranted, the portal moves into the main notification form. Each field maps directly to the information elements required by Article 33(3) GDPR:

Step 3, Attachments, Evidence and Logs

The Garante portal allows controllers to upload supporting documents alongside the notification form. Typical attachments include:

• Incident timeline logs, system access logs, firewall records, SIEM alerts
• Internal investigation reports, forensic analysis summaries
• Correspondence with processors, breach notification from the processor to the controller
• Risk-assessment documentation, records showing how the risk-to-rights-and-freedoms threshold was evaluated

Practice tip: name each file with a clear, timestamped convention (e.g., 2026-05-20_Incident_Timeline_v1.pdf) and ensure all uploads are finalised before the portal session times out. The portal does not always auto-save progress, so keeping a local copy of all drafted text and attachments is essential.

Step 4, Filing Confirmation and Receipt

Once the notification is submitted, the Garante portal generates a filing receipt with a unique reference number and timestamp. This receipt serves as the controller’s proof that notification was made within the 72‑hour window. Retain this receipt in the internal breach register alongside all supporting documentation. The Garante may subsequently contact the controller’s DPO or nominated contact to request supplementary information or to open a formal investigation.

Digital Signature and Authentication for Garante Notifications

Italy’s legal and administrative framework places particular emphasis on the digital signature for Garante notification submissions. The portal requires that the person submitting the notification authenticate their identity, and certain attachments, particularly formal incident reports and management sign-offs, may need to be digitally signed before upload.

Accepted Signature Formats

Italian administrative practice generally recognises the following qualified electronic signature formats:

• CAdES (.p7m), a detached or enveloping signature widely used in Italian legal and regulatory filings
• PAdES (.pdf), an embedded PDF signature that keeps the document human-readable without specialised software

Controllers should verify the exact formats accepted by the portal’s current instructions at the time of filing, as the Garante periodically updates its technical requirements. The portal’s help pages, accessible from within the filing interface, specify the currently accepted signature types and maximum file sizes.

Practical Signing Workflow

1. Prepare the incident report or attachment in its final form (PDF recommended).
2. Apply a qualified digital signature using the organisation’s certified signing tool (smart card, USB token or remote-signing service).
3. Verify the signature before uploading, some portal environments reject files with invalid or expired certificates.
4. Upload the signed document through the portal’s attachment interface.

Industry observers expect that the Garante will continue to tighten authentication requirements to ensure the integrity and non-repudiation of breach notifications, making advance preparation of digital-signature infrastructure a prudent investment.

Sector-Specific Timing and Obligations: Telecom 24‑Hour Breach Rule and Beyond

While the GDPR’s 72‑hour rule applies across all sectors, certain regulated industries in Italy face additional, shorter reporting deadlines under sector-specific legislation. The most notable is the telecom 24‑hour breach rule Italy operators must follow.

Telecom providers should note that the 24‑hour sector alert and the 72‑hour GDPR notification are cumulative, not alternative. A rapid alert to the sector regulator does not discharge the obligation to file a complete notification with the Garante via the dedicated portal. Financial-services firms subject to DORA (the Digital Operational Resilience Act) face their own incident-reporting regime, which similarly runs alongside, and does not displace, GDPR obligations.

Who to Notify: DPA, Data Subjects, Law Enforcement and Third Parties

Thresholds for Notifying Data Subjects

Article 34 GDPR requires controllers to communicate a breach directly to affected individuals when it is likely to result in a high risk to their rights and freedoms. The threshold is deliberately higher than the one for DPA notification. Typical high-risk scenarios include breaches involving unencrypted health records, financial account credentials, government identity numbers or data that could facilitate identity theft or discrimination.

The data-subject communication must be in clear, plain language. It must describe the nature of the breach, the likely consequences, the measures taken or proposed to mitigate harm and the contact details of the DPO or alternative contact point.

Law Enforcement, CSIRT-Italia and Sector Regulators

Certain breaches, particularly those involving criminal activity such as hacking, ransomware or insider theft, should also be reported to law enforcement. Additionally, Italy’s national CSIRT (CSIRT-Italia) coordinates technical incident response at a national level and may need to be notified where the breach implicates critical infrastructure. Sector regulators (such as the Bank of Italy, CONSOB or AGCOM for telecoms) maintain their own reporting channels.

Practical Data Breach Notification EDPB Templates and Required Fields

The following sample texts illustrate the minimum elements that a notification to the Garante and a communication to data subjects should contain. They are intended as starting points, every notification must be tailored to the specific facts of the incident.

Sample DPA Notification Excerpt (Garante)

“On [DATE], [CONTROLLER NAME] became aware of a personal data breach affecting approximately [NUMBER] data subjects. The breach involved [NATURE, e.g., unauthorised access to a database containing names, email addresses and encrypted passwords]. The likely consequences include [CONSEQUENCES, e.g., potential phishing attacks using exposed email addresses]. Immediate containment measures include [MEASURES, e.g., forced password resets, network segmentation, engagement of forensic investigators]. The DPO can be reached at [EMAIL / PHONE]. A supplementary notification will follow as the investigation progresses.”

Sample Data-Subject Communication

“We are writing to inform you that a security incident has affected some of your personal data held by [CONTROLLER NAME]. Specifically, [BRIEF DESCRIPTION, e.g., your name and email address may have been accessed by an unauthorised third party on DATE]. We have taken the following steps to protect you: [MEASURES, e.g., reset your account password; engaged cybersecurity experts; notified the Italian Data Protection Authority]. We recommend that you [ADVICE, e.g., change your passwords on other services where you used the same credentials; monitor your accounts for suspicious activity]. For further information, contact our Data Protection Officer at [EMAIL / PHONE].”

Sanctions and Enforcement in Italy: Data Breach Fines and Aggravating Factors

Failing to meet data breach notification obligations can trigger significant data breach fines Italy controllers must take seriously. Under Article 83(4)(a) GDPR, infringements of the controller’s notification obligations under Articles 33 and 34 are subject to administrative fines of up to €10 million or 2 % of total worldwide annual turnover, whichever is higher. Where the notification failure is part of a broader pattern of non-compliance (e.g., inadequate security measures), fines may escalate to the Article 83(5) ceiling of €20 million or 4 % of worldwide turnover.

Aggravating and Mitigating Factors

The Garante weighs several factors when calibrating penalties:

• Aggravating: deliberate delay in notification; failure to cooperate with the Garante’s investigation; previous infringements; large number of affected data subjects; processing of special-category data without adequate safeguards.
• Mitigating: prompt voluntary notification (even if slightly outside the 72‑hour window); proactive remediation and data-subject communication; evidence of a mature data-protection governance programme; cooperation with the Garante throughout the investigation.

Early indications from enforcement trends suggest that the Garante continues to treat delayed or absent notification as a standalone infringement deserving of its own penalty, distinct from any fine imposed for the underlying security failure that caused the breach. This approach reinforces the importance of treating the 72‑hour window as a hard operational deadline rather than an aspirational target.

Post-Notification Steps: Remediation, Recordkeeping and Follow-Up

Filing the notification with the Garante is not the end of the process. Controllers should immediately activate the following post-notification protocol:

1. Update the internal breach register. Record the Garante filing receipt number, the timeline of events, all decisions taken and the personnel involved.
2. Continue the forensic investigation. The initial notification may have been based on preliminary findings, supplement it via the Garante portal as new facts emerge.
3. Implement remediation measures. Address the root cause, patch vulnerabilities, revoke compromised credentials, review access controls.
4. Communicate internally. Brief senior management, the board (where relevant) and affected business units on the breach status and recovery timeline.
5. Monitor for secondary incidents. Breached data may be exploited over time; establish enhanced monitoring for the period following the breach.
6. Prepare for Garante follow-up. The Garante may request additional information, conduct an on-site inspection or open a formal proceeding. Ensure all documentation is readily accessible.
7. Review and improve. Conduct a formal post-incident review to identify process gaps and update the data-breach response plan accordingly.

Conclusion

Three takeaways should guide every Italian controller’s approach to data breach notification EDPB compliance. First, treat the 72‑hour rule as a non-negotiable operational deadline, not a guideline, and build internal response procedures around it. Second, master the Garante data breach portal before an incident occurs: register accounts, test the self-assessment workflow and prepare digital-signature infrastructure in advance. Third, remember that notification is only one element of a compliant response, documentation, remediation and data-subject communication are equally critical and equally subject to enforcement scrutiny.

Sources

1. European Data Protection Board, Guidelines 9/2022 on personal data breach notification under GDPR
2. EDPB, Notify a data breach
3. Garante per la protezione dei dati personali, Data breach landing page
4. Garante data breach notification portal
5. GDPR full text, Regulation (EU) 2016/679 (EUR-Lex)
6. McCann FitzGerald, New EDPB guidance on personal data breach notifications
7. Osservatorio Data Protection, EDPB breach guidelines commentary
8. Garante docweb, Provvedimento sulla notifica delle violazioni di dati personali