ARTICLE
17 June 2026

EDPB Adopt Draft Data Breach Notification Template

M
Matheson

Contributor

Matheson logo
Established in 1825 in Dublin, Ireland and with offices in Cork, London, New York, Palo Alto and San Francisco, more than 700 people work across Matheson’s six offices, including 96 partners and tax principals and over 470 legal and tax professionals. Matheson services the legal needs of internationally focused companies and financial institutions doing business in and from Ireland. Our clients include over half of the world’s 50 largest banks, 6 of the world’s 10 largest asset managers, 7 of the top 10 global technology brands and we have advised the majority of the Fortune 100.
Explore Firm Details
The European Data Protection Board has introduced a draft common data breach notification template designed to standardize breach reporting across EU Data Protection Authorities.
Ireland Privacy
Marie McGinley,Davinia Brennan,Eoin Burke
+1 Authors
 Your Author LinkedIn Connections
Marie McGinley’s articles from Matheson are most popular:
  • within Privacy topic(s)
  • with readers working within the Business & Consumer Services industries
Matheson are most popular:
  • within Immigration topic(s)

On 10 June 2026, the European Data Protection Board (“EDPB”) adopted a draft common data breach notification template. In line with the EDPB’s Helsinki Statement, the template aims to make GDPR compliance easier by harmonising the breach reporting process to Data Protection Authorities (“DPAs”) across the EU. The draft template is open to public consultation until 5 August 2026. The EDPB will then decide on the timeline for the practical implementation of the template by all DPAs.

Common data breach notification template

The common template has been drafted to ensure that data breach notifications to DPAs contain all of the information required under Article 33 GDPR. Article 33(1) requires that, in the case of a “personal data breach” (as defined in Article 4(12) GDPR), the controller must notify the competent DPA within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 33(3) specifies the minimum information which must be included in such a notification, which forms the basis for the draft data breach notification template.

The template is extensive and requires details regarding:

  • the type of notification being made;
  • the data controller, reporting person and data protection officer;
  • the nature of the personal data breach, including the date, time and duration of the breach, the affected data subjects and personal data, and data protection measures in place at the time of the data breach;
  • the likely consequences of the personal data breach;
  • the measures taken to mitigate the effects of the data breach, and to prevent a similar future breach; and
  • the communications with affected data subjects.

Each section, where relevant, includes a list of predefined responses to choose from and guidance on what information to include, in order to simplify the data breach notification process, especially for smaller organisations. The template, if adopted by the EU DPAs, will be of particular assistance to entities which are not in a position to avail of the one-stop-shop under the GDPR, as it will enable such organisations to prepare a single data breach notification for multiple EU DPAs.

For Irish organisations, the data breach notification form available on the website of the Data Protection Commission (the “DPC”) should continue to be completed for the time-being. The DPC has also published helpful guidance on personal data breach notifications under the GDPR, to assist organisations with complying with their data breach notification obligations.

Digital Omnibus Regulation

Interestingly, the draft Digital Omnibus Regulation 2025/0360 (previously discussed here and here), also proposes that the EDPB develops a common template for data breach notifications, which the European Commission would then be empowered to adopt (by implementing act) following review. As such, this common data breach notification template may become a mandatory requirement across the EU, if this aspect of the proposal is agreed and adopted at EU level.

Next steps

Following the publication of the draft common data breach notification template, the EDPB has launched a public consultation seeking stakeholder feedback until 5 August 2026, after which the EDPB intends to decide on a timeline for the practical implementation of the template by all DPAs.

Whilst DPAs will not necessarily be mandated to adopt the finalised template, it is likely that the template will see significant uptake in light of the fact that the EDPB is composed of representatives from each EU DPA. Therefore, it would be prudent for organisations to take steps to familiarise themselves with the proposed template, and consider submitting any recommendations or feedback to the EDPB during the public consultation stage. This is particularly important, given that the Digital Omnibus Regulation (once finalised) could make the standardised template mandatory for all DPAs to adopt and organisations to use.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Marie McGinley
Marie McGinley
Photo of Davinia Brennan
Davinia Brennan
Photo of Sarah Jayne Hanna
Sarah Jayne Hanna
Person photo placeholder
Eoin Burke
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More