Skip to content
GDPRJuly 4, 20266 min read

GDPR Article 33: Reporting a Data Leak from an AI Tool

The 72-hour clock starts when you become aware of the breach — so an undetected paste into an AI tool can quietly put you out of compliance.

A

AIovert Security Team

GDPR & EU AI Act practitioners · Last updated July 4, 2026

The short answer

Under GDPR Article 33, if personal data is exposed through an AI tool and the incident is likely to result in a risk to individuals, you must notify your supervisory authority within 72 hours of becoming aware of it. Where the risk to individuals is high, Article 34 also requires notifying the affected people. If the incident is unlikely to result in a risk, you need not notify the authority but must still document it. Detecting the exposure at all is the hard part with AI tools, which is why prevention and logging matter.

The 72-hour clock starts when you become aware of the breach — so an undetected paste into an AI tool can quietly put you out of compliance.

The 72-hour duty

Article 33 requires notification without undue delay and, where feasible, within 72 hours of awareness. The notification must describe the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken.

The detection gap with AI tools

You cannot report what you cannot see. If staff paste personal data into unmonitored AI tools, an exposure may never be detected, meaning the notification duty is silently breached. Browser-level logging closes this gap by recording sensitive-data events at the point of entry — the same visibility that brings shadow AI under GDPR back into view.

Prevention as the best defence

The strongest position is to prevent the exposure entirely with a control that blocks sensitive pastes before submission, backed by an audit log you can rely on if you ever need to demonstrate what happened and when. See how to stop employees pasting confidential data into ChatGPT and is it a GDPR breach to put customer data into ChatGPT?

Frequently asked questions

Does every AI-related data exposure have to be reported within 72 hours?

Only those likely to result in a risk to individuals' rights and freedoms. You must assess each incident; if it meets that threshold, notify within 72 hours of awareness. Lower-risk incidents still require internal documentation.

What if we didn't know the data was exposed?

The 72-hour period runs from awareness, but a lack of monitoring is not a defence — regulators expect controllers to have measures capable of detecting breaches. Undetected exposure points to an accountability and security gap.

How does logging help with Article 33?

A reliable log of sensitive-data events lets you determine quickly whether an exposure occurred, what was involved, and how many people are affected — exactly the information Article 33 requires you to provide.

Primary sources

Regulatory dates and requirements can change — verify against the official EU sources above before relying on them. This page is informational and not legal advice.

Close the detection gap before the clock starts.

AIovert blocks sensitive pastes before submission and keeps a reliable audit log — so exposures don’t go unseen and unreported. Deploys in 15 minutes.