On 10 June 2026, the European Data Protection Board (“EDPB”) adopted a draft template for personal data breach notification  (“Template”) to harmonise reporting of data breaches across the EU. The Template follows the Helsinki Statement on enhanced clarity, support and engagement which aims to streamline GDPR compliance and which we previously discussed here.

The Template is currently subject to consultation until 5 August 2026 during which time stakeholders can submit feedback and comments on the content of the Template. Following the public consultation, the EDPB will decide on the timeline for the practical implementation of the template by all Data Protection Authorities (“DPAs”).

The Template aims to simplify compliance under Article 33 of the GDPR, which requires a controller to notify the competent DPA within 72 hours of it becoming aware of a data breach, unless the data breach is unlikely to result in a risk to rights and freedoms of natural persons.

The Template streamlines notification and ensures the necessary information is included when making a notification under article 33(3) of the GDPR, including:

• the type of notification being made
• the data controller, reporting person and data protection officer (if relevant)
• the nature of the personal data breach, including the date, time and duration of the breach, relevant data subjects, and data protection measures in place at the time of the data breach
• the likely consequences of the personal data breach
• mitigating measures and measures to prevent a similar future breach
• any communications with affected data subjects.

The Template includes predefined response options and practical guidance to assist controllers when completing specific fields. Irish data controllers should continue to be cognisant of the Data Protection Commission’s guidance on personal data breach notifications and report any breaches via its website. If organisations would like to participate in the consultation, it is a timely opportunity to review the draft and submit feedback to ensure it meets data controller’s practical requirements.

If you would like to discuss the content of this article or require assistance with any of your organisation’s data protection requirements, please contact Cian Clinch or Denise O’Shaughnessy.