GDPRArt. 34voice-validated
GDPR Art34: Art. 34
General Data Protection Regulation (EU 2016/679)
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication shall describe in clear and plain language the nature of the personal data breach. Communication is not required when the controller has implemented appropriate technical and organisational protection measures (such as encryption) that render the personal data unintelligible to any unauthorised person.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Exploiting public-facing applications directly enables unauthorized access to systems, leading to personal data breaches. This bypasses security measures, making data intelligible to attackers, requiring communication under GDPR Art. 34. | 100% |
| T1566.001 | 1. Spearphishing attachments are a primary initial access vector for attackers to gain a foothold, leading to compromise of systems holding personal data. This directly contributes to a data breach scenario under GDPR Art. 34. | 90% |
| T1059.003 | 1. Command shell execution allows attackers to run commands, facilitating data discovery, collection, and exfiltration, which can result in a high-risk personal data breach as per GDPR Art. 34. | 80% |
| T1547.001 | 1. Establishing persistence ensures continued unauthorized access to systems containing personal data, increasing the likelihood and duration of a data breach, thereby elevating risk under GDPR Art. 34. | 70% |
| T1068 | 1. Exploiting vulnerabilities for privilege escalation grants attackers higher access, enabling them to bypass security controls and access sensitive personal data, directly contributing to a high-risk breach under GDPR Art. 34. | 90% |
| T1027.002 | 1. Software packing obfuscates malicious code, hindering detection and allowing attackers to maintain unauthorized access to personal data, increasing the risk of a breach as outlined in GDPR Art. 34. | 70% |
| T1070.004 | 1. File deletion removes evidence of compromise, making incident response difficult and potentially delaying the detection of a personal data breach, which could exacerbate the high risk to data subjects under GDPR Art. 34. | 70% |
| T1003.001 | 1. Dumping LSASS memory directly extracts credentials, enabling unauthorized access to systems and personal data, making it intelligible to attackers and necessitating breach communication under GDPR Art. 34. | 100% |
| T1003.003 | 1. Extracting NTDS database credentials provides attackers with domain-wide access, allowing widespread compromise of personal data and leading to high-risk breaches as defined by GDPR Art. 34. | 100% |
| T1087.001 | 1. Discovering local accounts helps attackers identify targets for privilege escalation or lateral movement, ultimately leading to unauthorized access and potential exfiltration of personal data, a high-risk event under GDPR Art. 34. | 80% |
| T1083 | 1. File and directory discovery allows attackers to locate sensitive personal data, which is a precursor to collection and exfiltration, directly contributing to a high-risk data breach under GDPR Art. 34. | 90% |
| T1021.001 | 1. Using RDP for lateral movement enables attackers to access multiple systems containing personal data, expanding the scope of a breach and increasing the risk to data subjects, as per GDPR Art. 34. | 80% |
| T1005 | 1. Collecting data from local systems directly involves accessing and staging personal data for exfiltration, which constitutes a high-risk personal data breach requiring communication under GDPR Art. 34. | 100% |
| T1041 | 1. Exfiltrating data over a C2 channel directly results in unauthorized disclosure of personal data, making it intelligible to attackers and triggering the communication requirement of GDPR Art. 34 due to high risk. | 100% |
| T1486 | 1. Encrypting data for impact (e.g., ransomware) renders personal data unavailable to data subjects, constituting a high-risk breach due to loss of availability and potential for data disclosure if copies are exfiltrated, as per GDPR Art. 34. | 90% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1. Enforcement of exploit prevention reduces the attack surface, preventing initial unauthorized access and privilege escalation that could lead to personal data breaches, aligning with GDPR Art. 34's risk reduction. | 90% |
| M1035 | 1. Limiting access to resources restricts unauthorized access to personal data, preventing its collection and exfiltration, thereby reducing the likelihood of a high-risk breach as per GDPR Art. 34. | 90% |
| M1040 | 1. Network segmentation isolates sensitive data environments, containing breaches and preventing lateral movement, which reduces the scope and risk of personal data exposure, supporting GDPR Art. 34. | 80% |
| M1026 | 1. Privileged account management minimizes the risk of credential compromise and abuse, preventing attackers from gaining elevated access to sensitive personal data, a key aspect of GDPR Art. 34 compliance. | 90% |
| M1037 | 1. Multi-factor authentication significantly strengthens access controls, preventing unauthorized access to systems holding personal data even if primary credentials are stolen, directly reducing breach risk under GDPR Art. 34. | 90% |
| M1048 | 1. Data encryption renders personal data unintelligible to unauthorized persons, directly fulfilling the exception clause in GDPR Art. 34, thereby negating the communication requirement even if a breach occurs. | 100% |
| M1013 | 1. Application developer guidance promotes secure coding practices, reducing vulnerabilities that attackers could exploit to access personal data, thus preventing high-risk breaches as per GDPR Art. 34. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. Exposure of Sensitive Information to an Unauthorized Actor directly describes the outcome of a personal data breach, leading to high risk for data subjects and requiring communication under GDPR Art. 34. | 100% |
| CWE-287 | 1. Improper Authentication allows unauthorized individuals to access systems and personal data, directly contributing to a data breach and the high risk scenario outlined in GDPR Art. 34. | 90% |
| CWE-798 | 1. Use of Hard-coded Credentials provides attackers with easy access to systems and personal data, bypassing authentication and leading to high-risk breaches as per GDPR Art. 34. | 80% |
| CWE-269 | 1. Improper Privilege Management enables attackers to escalate privileges, gaining access to sensitive personal data they should not have, directly contributing to a high-risk breach under GDPR Art. 34. | 90% |
| CWE-311 | 1. Missing Encryption of Sensitive Data directly contradicts the protection measure specified in GDPR Art. 34, making data intelligible to unauthorized persons and requiring breach communication. | 100% |
| CWE-522 | 1. Insufficiently Protected Credentials makes it easier for attackers to obtain access to systems and personal data, leading to unauthorized disclosure and high-risk breaches under GDPR Art. 34. | 90% |
| CWE-732 | 1. Incorrect Permission Assignment for Critical Resource allows unauthorized access to sensitive personal data, directly contributing to a high-risk data breach scenario under GDPR Art. 34. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0198 compute · voice-rubric self-validated