Notify a personal data breach to your Data Protection Authority (DPA)
All data breaches should be notified to the relevant DPA, except for those unlikely to present any risk to individuals, according to Art. 33 GDPR.
If the breach takes place in the context of cross-border processing, the data controller will need to notify the lead DPA or, at a minimum, the local DPA where the breach has taken place.
Where a data controller does not have a main establishment in the EEA, the one-stop-shop mechanism does not apply. Therefore, in such cases the breach will need to be notified to every DPA for which affected individuals reside in their country.
To facilitate this notification, DPAs have implemented procedures and online forms guiding you through this process.
Austria
Österreichische Datenschutzbehörde
(Austrian Data Protection Authority)
The data breach notification is accepted in German.
Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien
Austria
dsb@dsb.gv.at
http://www.dsb.gv.at/
Belgium
Autorité de la protection des données - Gegevensbeschermingsautoriteit (APD-GBA)
Rue de la Presse 35 – Drukpersstraat 35
1000 Bruxelles - Brussel
Belgium
contact@apd-gba.be
https://www.autoriteprotectiondonnees.be
https://www.gegevensbeschermingsautoriteit.be
Bulgaria
Commission for Personal Data Protection of the Republic of Bulgaria
(Bulgarian Data Protection Authority)
The information on data breach notification are also available in English and French.
The data breach notification is accepted in Bulgarian.
Commission for Personal Data Protection
2, Prof. Tsvetan Lazarov blvd.
1592 Sofia
Bulgaria
kzld@cpdp.bg
https://www.cpdp.bg/
Croatia
Agencija za zaštitu osobnih podataka (AZOP)
(Croatian Personal Data Protection Agency)
The data breach notification is accepted in Croatian or English.
Croatian Personal Data Protection Agency
Selska Cesta 136
10000 Zagreb
Croatia
azop@azop.hr
http://www.azop.hr/
Cyprus
Office of the Commissioner for Personal Data Protection
(Cypriot Data Protection Authority)
The data breach notification is accepted in Greek, or in English in cases where the breach concerns cross-border processing.
Commissioner for Personal Data Protection
15, Kypranoros Street
1061 Nicosia
P.O. Box. 23378
1682 Nicosia
Cyprus
commissioner@dataprotection.gov.cy
http://www.dataprotection.gov.cy/
Czech Republic
Office for Personal Data Protection
(Czech Data Protection Authority)
Notify a data breach:
- Data breach information
- Data breach form (Czech)
- Send the notification form by email to posta@uoou.gov.cz
The data breach notification is accepted in Czech and English.
Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Czech Republic
posta@uoou.cz
http://www.uoou.cz/
Denmark
Datatilsynet
(Danish Data Protection Authority)
Danish companies and natural persons can submit the notification online, while everyone can send it by email to dt@datatilsynet.dk.
The data breach notification is accepted in Swedish, Norwegian or English.
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
Denmark
dt@datatilsynet.dk
http://www.datatilsynet.dk/
Estonia
Estonian Data Protection Inspectorate
(Estonian Data Protection Authority)
Personal data breach notifications can be reported:
- Filling out the form in Estonian or English, and send it by email to info@aki.ee
- Submit the notification via specific e-service. Service can be used by persons having national eID carriers like ID-card, Mobile-ID or Smart-ID.
The data breach notification is accepted in Estonian or English.
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39
10134 Tallinn
Estonia
info@aki.ee
http://www.aki.ee/
Finland
Office of the Data Protection Ombudsman
(Finnish Data Protection Authority)
The data breach notification is accepted in Finnish, Swedish or English.
Office of the Data Protection Ombudsman
P.O. Box 800
FI-00531 Helsinki
Finland
tietosuoja@om.fi
http://www.tietosuoja.fi/en/
France
Commission Nationale de l'Informatique et des Libertés - CNIL
(French Data Protection Authority)
The data breach notification is accepted in French.
Commission Nationale de l'Informatique et des Libertés - CNIL
3 Place de Fontenoy
TSA 80715 – 75334 Paris, Cedex 07
France
http://www.cnil.fr/
https://www.cnil.fr/en/contact-cnil
Germany
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Federal Commissioner for Data Protection and Freedom of Information
The data breach notification is accepted in German.
Data Protection Authority of Mecklenburg-Western Pomerania
The data breach notification is accepted in German or English.
The Rhineland-Palatinate State Commissioner for Data Protection and freedom of information
The data breach notification is accepted in German or English.
Der Landesbeauftragte für den Datenschutz Niedersachsen
The data breach notification is accepted in German or English.
Die Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Office of the North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information)
The data breach notification is accepted in German or English.
Bayerisches Landesamt für Datenschutzaufsicht
Bavarian Data Protection Authority for the Private Sector
The data breach notification is accepted in German or English.
Berliner Beauftragte für Datenschutz und Informationsfreiheit
The data breach notification is accepted in German.
Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg
The Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg)
The data breach notification is accepted in German or English.
The Hessian Commissioner for Data Protection and Freedom of Information
The data breach notification is accepted in German.
Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg
Brandenburg Commissioner for Data Protection and Access to Information
The data breach notification is accepted in German or English.
Unabhängiges Datenschutzzentrum Saarland
The data breach notification is accepted in German.
Landesbeauftragte für Datenschutz Schleswig-Holsetin
Email: mail@datenschutzzentrum.de
The data breach notification is accepted in German or English.
Landesbeauftragter für den Datenschutz Sachsen-Anhalt
The Data Protection Commissioner of Saxony-Anhalt
The data breach notification is accepted in German or English.
Saxon Data Protection and Transparency Commissioner
The data breach notification is accepted in German or English.
Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit
The Commissioner for Data Protection and Freedom of Information Thüringen
Notify a data breach:
- Fill in the form and send it by email to poststelle@datenschutz.thueringen.de
- Fill in the form and send it by post to Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit, Postfach 900455 - 99107 Erfurt
The data breach notification is accepted or German.
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
The Hamburg Commissioner for Data Protection and Freedom of Information
The data breach notification is accepted in German or English.
Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Graurheindorfer Straße 153
53117 Bonn
Germany
poststelle@bfdi.bund.de
http://www.bfdi.bund.de/
Greece
Hellenic Data Protection Authority
(Greek Data Protection Authority)
Notify a data breach:
The data breach notification is accepted in Greek or English.
Hellenic Data Protection Authority
Kifisias Av. 1-3
11523 Ampelokipi Athens
Greece
contact@dpa.gr
http://www.dpa.gr/
Hungary
Nemzeti Adatvédelmi és Információszabadság Hatóság / Hungarian National Authority for Data Protection and Freedom of Information
(Hungarian Data Protection Authority)
Notify a data breach:
- by post: download the notification form and send it to the Hungarian DPA at 1363 Budapest, Pf.: 9.; Hungary
- by email: download the notification form and send it to ugyfelszolgalat@naih.hu
- online: on the Hungarian DPA notification surface
- on the Hungarian DPA's electronic administration interface (e-papir)
The personal data breach notification portal is only for personal data breach notifications for data controllers, it is not possible to submit complaints.
The data breach notification is accepted in Hungarian, preliminary notifications are also accepted in English, but it is mandatory to submit them later in Hungarian.
Hungarian National Authority for Data Protection and Freedom of Information
Falk Miksa utca 9-11
H-1055 Budapest
Hungary
privacy@naih.hu
http://www.naih.hu/
Iceland
- Data controllers can submit a data breach notification by filling the online form.
- Individuals that want to report on a potential data breach can do so via email at postur@personuvernd.is
The data breach notification is accepted in Icelandic, or in English in cases where the breach concerns cross-border processing.
Ireland
Data Protection Commission - DPC
(Irish Data Protection Authority)
The data breach notification is accepted in Irish or English.
Data Protection Commission
21 Fitzwilliam Square
D02 RD28 Dublin 2
Ireland
info@dataprotection.ie
http://www.dataprotection.ie/
Italy
Garante per la protezione dei dati personali
(Italian Data Protection Authority)
The data breach notification is accepted in Italian.
Garante per la protezione dei dati personali
Piazza Venezia, 11
00187 Roma
Italy
segreteria.stanzione@gpdp.it
http://www.garanteprivacy.it/
Latvia
Data State Inspectorate
(Latvian Data Protection Authority)
The data breach notification is accepted in Latvian.
Data State Inspectorate
Elijas Street 17
LV-1050 Riga
Latvia
pasts@dvi.gov.lv
https://www.dvi.gov.lv/
Liechtenstein
Data Protection Authority Principality of Liechtenstein
Notify a data breach:
The data breach notification is accepted in German or English.
Data Protection Authority, Principality of Liechtenstein
Städtle 38
9490 Vaduz
Liechtenstein
info.dss@llv.li
https://www.datenschutzstelle.li
Lithuania
State Data Protection Inspectorate
(Lithuanian Data Protection Authority)
Further information:
- Notification of a Personal Data Breach to the State Data Protection Inspectorate (English)
- Notification form (English)
- Privacy notice
- Link to e-service
The data breach notification is accepted in Lithuanian. Documents in English are only for information
State Data Protection Inspectorate
L. Sapiegos str. 17
LT-10312 Vilnius
Lithuania
ada@ada.lt
https://vdai.lrv.lt/
Luxembourg
Commission Nationale pour la Protection des Données
(Luxembourgish Data Protection Authority)
Notify a data breach:
- Fill in the form
- Send it by email to databreach@cnpd.lu or by post to Commission nationale pour la protection des données, 15, Boulevard du Jazz I L-4370 Belvaux
The data breach notification is accepted in French, German or English.
Commission Nationale pour la Protection des Données
15, Boulevard du Jazz
L-4370 Belvaux
Luxembourg
info@cnpd.lu
http://www.cnpd.lu/
Malta
Office of the Information and Data Protection Commissioner
(Maltese Data Protection Authority)
The data breach notification is accepted in English or Maltese.
Office of the Information and Data Protection Commissioner
Second Floor, Airways House
High Street
SLM 1549 Sliema
Malta
idpc.info@idpc.org.mt
http://www.idpc.org.mt/
Netherlands
Autoriteit Persoonsgegevens
(Dutch Data Protection Authority)
The data breach notification is accepted in Dutch or English.
Autoriteit Persoonsgegevens
Hoge Nieuwstraat 8
P.O. Box 93374
2509 AJ Den Haag/The Hague
Netherlands
https://autoriteitpersoonsgegevens.nl/
Norway
Datatilsynet
(Norwegian Data Protection Authority)
Notify a data breach:
- Online guidance
- By email to postkasse@datatilsynet.no.
There is no specific form to use to notify a personal data breach by email, the online guidance provides the information that is expected to be received with a personal data breach notification.
The data breach notification is accepted in Norwegian, Danish, Swedish or English.
Datatilsynet
P.O. Box 458 Sentrum
0150 Oslo
Norway
postkasse@datatilsynet.no
https://www.datatilsynet.no
Poland
Urząd Ochrony Danych Osobowych
(Polish Data Protection Authority)
The data breach notification is accepted in Polish, the English translation of the form available on the website is for information purposes only.
Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
ul. Stawki 2
00-193 Warsaw
Poland
kancelaria@uodo.gov.pl
https://uodo.gov.pl/
Portugal
Comissão Nacional de Proteção de Dados (CNPD)
(Portuguese Data Protection Authority)
The data breach notification is accepted in Portuguese.
Comissão Nacional de Proteção de Dados - CNPD
Av. D. Carlos I, 134, 1º
1200-651 Lisboa
Portugal
geral@cnpd.pt
http://www.cnpd.pt/
Romania
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal
(Romanian Data Protection Authority)
The data breach notification is accepted in Romanian or English.
The National Supervisory Authority for Personal Data Processing
B-dul Magheru 28-30
Sector 1 BUCUREŞTI
Romania
anspdcp@dataprotection.ro
http://www.dataprotection.ro/
Slovakia
Office for Personal Data Protection of the Slovak Republic
(Slovak Data Protection Authority)
The data breach notification is accepted in Slovak.
Office for Personal Data Protection of the Slovak Republic
Hraničná 12
820 07 Bratislava 27
Slovakia
statny.dozor@pdp.gov.sk
http://www.dataprotection.gov.sk/
Slovenia
Information Commissioner of the Republic of Slovenia
(Slovenian Data Protection Authority)
Notify a data breach:
- Fill in the form (docx)
- In case of cross-border data breach, please fill in the additional form (docx)
- Send the form(s) by email: prijava-krsitev@ip-rs.si
The data breach notification is accepted in Slovenian.
Information Commissioner of the Republic of Slovenia
Dunajska 22
1000 Ljubljana
Slovenia
gp.ip@ip-rs.si
https://www.ip-rs.si/
Spain
Agencia Española de Protección de Datos
(Spanish Data Protection Authority)
Notify a data breach:
- Fill in the online form
- Only for controllers not established in the Union, fill in the pdf form completely, digitally sign and submit to brechas@aepd.es
The data breach notification is accepted in Spanish or English.
Agencia Española de Protección de Datos (AEPD)
C/Jorge Juan, 6
28001 Madrid
Spain
internacional@aepd.es
https://www.aepd.es/
Sweden
Integritetsskyddmyndigheten
(Swedish Data Protection Authority)
Notify a data breach:
The data breach notification is accepted in Swedish or English.
Integritetsskyddsmyndigheten
Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Sweden
imy@imy.se
http://www.imy.se/