GDPRArt. 33voice-validated
GDPR Art33: Art. 33
General Data Protection Regulation (EU 2016/679)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority. The notification shall describe the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and measures taken or proposed to address the breach and mitigate its possible adverse effects.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1133 | 1. Attackers exploit exposed services to gain initial access, directly leading to a personal data breach requiring notification under GDPR Art. 33. | 90% |
| T1190 | 1. Exploiting vulnerabilities in public-facing applications grants initial access, resulting in a data breach that necessitates reporting under GDPR Art. 33. | 90% |
| T1566 | 1. Phishing campaigns compromise user credentials, enabling unauthorized access to personal data and triggering breach notification obligations under GDPR Art. 33. | 80% |
| T1547 | 1. Establishing persistence ensures continued unauthorized access to systems containing personal data, prolonging a breach and complicating its assessment for GDPR Art. 33 reporting. | 80% |
| T1068 | 1. Gaining elevated privileges allows attackers to access more sensitive personal data, expanding the scope of a breach and impacting the notification details required by GDPR Art. 33. | 90% |
| T1027 | 1. Obfuscation hinders detection of malicious activity, delaying awareness of a personal data breach and potentially impacting the 72-hour notification window under GDPR Art. 33. | 80% |
| T1070 | 1. Deleting logs and other indicators of compromise obscures the breach, making it harder to assess its nature and consequences as required for notification under GDPR Art. 33. | 80% |
| T1003 | 1. Stealing credentials provides access to systems holding personal data, directly contributing to a breach and necessitating notification under GDPR Art. 33. | 90% |
| T1083 | 1. Discovering files and directories containing personal data is a precursor to collection and exfiltration, defining the scope of a breach for GDPR Art. 33 reporting. | 80% |
| T1021 | 1. Using remote services for lateral movement expands the reach of an attacker, potentially increasing the volume and categories of personal data compromised, which must be reported under GDPR Art. 33. | 80% |
| T1005 | 1. Collecting personal data from local systems is a direct action leading to a breach, requiring the controller to assess and report the incident under GDPR Art. 33. | 90% |
| T1071 | 1. Command and control communication facilitates data exfiltration or manipulation, directly contributing to a personal data breach that requires reporting under GDPR Art. 33. | 80% |
| T1041 | 1. Exfiltrating personal data confirms a breach, necessitating immediate assessment of data categories and subjects for notification to the supervisory authority under GDPR Art. 33. | 90% |
| T1485 | 1. Destroying personal data constitutes a breach of availability, requiring notification under GDPR Art. 33 due to the severe impact on data subjects. | 90% |
| T1486 | 1. Encrypting personal data for impact, such as ransomware, renders it unavailable, constituting a breach of availability and requiring notification under GDPR Art. 33. | 90% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1. A defined incident response plan ensures timely detection, containment, and analysis of a breach, facilitating the 72-hour notification requirement and comprehensive reporting under GDPR Art. 33. | 100% |
| M1047 | 1. Regular auditing and logging help detect unauthorized access and data exfiltration, enabling prompt awareness of a breach for notification within the GDPR Art. 33 timeframe. | 90% |
| M1050 | 1. Proactive vulnerability scanning reduces attack surfaces, preventing initial access techniques that could lead to a personal data breach, thus reducing the need for GDPR Art. 33 reporting. | 80% |
| M1051 | 1. Segmenting networks limits lateral movement, containing the scope of a breach and simplifying the assessment of affected data subjects for GDPR Art. 33 notification. | 80% |
| M1035 | 1. Strong user account management prevents unauthorized access and privilege escalation, reducing the likelihood of a personal data breach requiring notification under GDPR Art. 33. | 80% |
| M1028 | 1. Secure OS configurations reduce system vulnerabilities, preventing various attack techniques that could lead to a personal data breach and subsequent GDPR Art. 33 reporting. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. This weakness directly causes a personal data breach, necessitating notification under GDPR Art. 33 due to unauthorized disclosure. | 90% |
| CWE-287 | 1. Improper authentication allows unauthorized access to systems containing personal data, directly leading to a breach that requires reporting under GDPR Art. 33. | 90% |
| CWE-269 | 1. This weakness enables attackers to gain elevated privileges, accessing more sensitive personal data and expanding the scope of a breach for GDPR Art. 33 notification. | 80% |
| CWE-79 | 1. XSS vulnerabilities can lead to session hijacking or data theft, resulting in a personal data breach that requires notification under GDPR Art. 33. | 80% |
| CWE-89 | 1. SQL injection allows unauthorized database access, leading to the disclosure or manipulation of personal data, a breach requiring GDPR Art. 33 notification. | 80% |
| CWE-522 | 1. Weak credential protection allows attackers to compromise accounts, gaining access to personal data and causing a breach that must be reported under GDPR Art. 33. | 90% |
| CWE-732 | 1. Incorrect permissions allow unauthorized access or modification of personal data, directly causing a breach that requires notification under GDPR Art. 33. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0187 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation