Personal Data Breach

GDPR (arts. 33-34) defines a personal data breach as any violation causing the accidental or unlawful destruction, loss, alteration of personal data transmitted, stored or processed; or unauthorised disclosure or access to such data. Typical sports-club examples: lost USB drive with the member database, email containing data sent to the wrong recipient, hack of the club's website, theft of an unencrypted laptop, accidental leak via a public URL.

Controller duties: 1) record the breach in an internal log, 2) assess the risk to individuals' rights and freedoms, 3) if there is risk, notify the AEPD within 72 hours of becoming aware, 4) if the risk is high, notify affected individuals without undue delay.

As soon as you become aware of the incident — even if contained. Notification to AEPD is online via their e-office. If it's not possible to assess everything within 72h, file a partial first notification and complete later. Failing to notify when required is a typical AEPD fine.

• Not notifying 'to avoid sanction': AEPD fines unnotified breaches harder than the breach itself when well managed.
• Waiting to 'be sure' before notifying: if you don't have full info in 72h, file a partial notification.
• Not informing affected individuals when required: GDPR mandates it when risk is high.
• Not logging unnotified breaches: even low-risk breaches must be internally recorded.

If you care about this term, you probably also wonder about these:

• GDPR

  Legal

• LOPDGDD (Spanish Data Protection Act)

  Legal

• Data Protection Officer (DPO)

  Legal

• Record of Processing Activities (RAT)

  Legal

Long-form guides and product pages where we cover this topic in depth:

• GDPR for sports clubs — Full 2026 guide

  Full guide