A personal-data breach starts a legal clock. Under [GDPR art. 33], you must notify your supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to risk people's rights and freedoms. If the risk is high, you may also need to notify the affected individuals directly under [GDPR art. 34]. The breach notification kit records the facts, tracks both deadlines, and prepares the two documents — you review and file them yourself.
What miniterms does — and doesn't do
miniterms prepares the Article 33 supervisory-authority notification and the Article 34 individual notice from the facts you enter. It does not assess whether you are legally required to notify, does not file anything with a regulator, and does not email affected individuals on your behalf. Every action is yours to take.
Recording a breach
- Open Compliance → Breach kit in the sidebar and click Record a breach.
- When you became aware — the moment you became aware starts the 72-hour clock, so use the real discovery time. Also pick your supervisory authority (AEPD, CNIL, ICO, or your lead EU authority).
- The breach itself (Article 33(3)) — describe what happened, select the breach type(s) (confidentiality, integrity, or availability), the categories of personal data involved, whether special-category data (Art.9) is included, and an approximate number of affected data subjects and records (or mark them unknown). Add the likely consequences and the measures you have taken or propose to take, plus your DPO or contact details.
- Notifying individuals (Article 34) — decide whether you will notify affected individuals, or record that you are not notifying because the risk is low. A no-notification decision requires a written reason, per [GDPR art. 33(5)].
- Click Record incident & start clock.
The 72-hour clock
Once recorded, the incident page shows a live countdown from your recorded awareness time. It turns amber inside the last 24 hours and red once overdue. The clock settles (stops counting) once you mark the incident as authority-notified, individuals-notified, no-notification, or closed.
Downloading and sending the documents
From the incident detail page you can:
- Download Article 33 notification — the regulator-ready notification document, as a PDF.
- Download Article 34 notice — the individual notice document, as a PDF.
- Email these to me — sends both documents to your own account contact address so you can review and forward them.
Recording what you've done
Use the status buttons to log what actually happened: mark the authority notified, mark individuals notified, record a no-notification decision (with required reasoning), or close the incident once everything is handled.
Anchored awareness proof
When provenance is enabled on your workspace, the moment you recorded awareness of the breach is anchored as a tamper-evident receipt, viewable via the "Anchored awareness proof" link on the incident page. This proves when you became aware — it does not certify that your response was compliant.
Limits
The kit tracks the clock and drafts the two documents from what you tell it. It does not perform legal risk assessment, does not determine whether Article 34 notification is legally required in your case, and does not submit anything on your behalf. For high-risk or ambiguous breaches, involve your DPO or counsel before deciding not to notify.