On 10 June 2026, the European Data Protection Board (“EDPB”) adopted a draft common data breach notification template. In line with the EDPB’s Helsinki Statement, the template aims to make GDPR compliance easier by harmonising the breach reporting process to Data Protection Authorities (“DPAs”) across the EU. The draft template is open to public consultation until 5 August 2026. The EDPB will then decide on the timeline for the practical implementation of the template by all DPAs.
Common data breach notification template
The common template has been drafted to ensure that data breach notifications to DPAs contain all of the information required under Article 33 GDPR. Article 33(1) requires that, in the case of a “personal data breach” (as defined in Article 4(12) GDPR), the controller must notify the competent DPA within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 33(3) specifies the minimum information which must be included in such a notification, which forms the basis for the draft data breach notification template.
The template is extensive and requires details regarding:
- the type of notification being made;
- the data controller, reporting person and data protection officer;
- the nature of the personal data breach, including the date, time and duration of the breach, the affected data subjects and personal data, and data protection measures in place at the time of the data breach;
- the likely consequences of the personal data breach;
- the measures taken to mitigate the effects of the data breach, and to prevent a similar future breach; and
- the communications with affected data subjects.
Each section, where relevant, includes a list of predefined responses to choose from and guidance on what information to include, in order to simplify the data breach notification process, especially for smaller organisations. The template, if adopted by the EU DPAs, will be of particular assistance to entities which are not in a position to avail of the one-stop-shop under the GDPR, as it will enable such organisations to prepare a single data breach notification for multiple EU DPAs.
For Irish organisations, the data breach notification form available on the website of the Data Protection Commission (the “DPC”) should continue to be completed for the time-being. The DPC has also published helpful guidance on personal data breach notifications under the GDPR, to assist organisations with complying with their data breach notification obligations.
Digital Omnibus Regulation
Interestingly, the draft Digital Omnibus Regulation 2025/0360 (previously discussed here and here), also proposes that the EDPB develops a common template for data breach notifications, which the European Commission would then be empowered to adopt (by implementing act) following review. As such, this common data breach notification template may become a mandatory requirement across the EU, if this aspect of the proposal is agreed and adopted at EU level.
Next steps
Following the publication of the draft common data breach notification template, the EDPB has launched a public consultation seeking stakeholder feedback until 5 August 2026, after which the EDPB intends to decide on a timeline for the practical implementation of the template by all DPAs.
Whilst DPAs will not necessarily be mandated to adopt the finalised template, it is likely that the template will see significant uptake in light of the fact that the EDPB is composed of representatives from each EU DPA. Therefore, it would be prudent for organisations to take steps to familiarise themselves with the proposed template, and consider submitting any recommendations or feedback to the EDPB during the public consultation stage. This is particularly important, given that the Digital Omnibus Regulation (once finalised) could make the standardised template mandatory for all DPAs to adopt and organisations to use.
Contact us
If you have any questions on anything contained in this article or on the data breach notification template in general, please feel free to reach out to a member of the Technology and Innovation Group or your usual Matheson contact.
