What Is a Video Data Breach Notification (Article 33 GDPR)?

Video Data Breach Notification (Article 33 GDPR) – Definition

A video data breach notification is a formal notice to the supervisory authority about a personal data breach where the incident concerns photo or video materials and may result in a risk to the rights and freedoms of natural persons. In the European Union, the legal basis is Article 33 of Regulation (EU) 2016/679, the GDPR. In Poland, such a notification is submitted to the President of the Personal Data Protection Office (UODO).

In the context of photos and recordings, this primarily covers situations involving a loss of confidentiality, availability, or integrity of materials containing identifiable individuals. This may include, for example, CCTV footage, video documentation from inspections, working photos, evidentiary materials, or multimedia archives before anonymization. If faces, license plates, or other elements that allow a person to be identified indirectly are visible in the image, the material may qualify as personal data. The assessment therefore does not end with the mere fact that a file was leaked. The key question is whether a person can be identified using means reasonably likely to be used, in line with Recital 26 GDPR.

Article 33(1) GDPR requires a personal data breach to be reported “without undue delay” and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. A data leak alone does not automatically trigger the obligation to notify the data subjects. That is a separate obligation under Article 34 GDPR, which applies where there is a high risk.

When a Video or Photo Leak Must Be Reported to UODO

In compliance practice, the most difficult task is often distinguishing a technical incident from a personal data breach that requires notification. For visual materials, it is necessary to assess not only the source of the incident, but also the content of the image, the degree of identifiability, and the potential for further use of the data.

As a rule, the obligation to notify UODO arises when two conditions are met together: a personal data breach has occurred, and there is at least a risk to the rights or freedoms of natural persons. Example incidents include:

• unauthorized disclosure of non-anonymized recordings showing visible faces,
• sending photos or video files to the wrong recipient,
• the theft of a storage device containing a multimedia archive,
• a ransomware attack affecting a photo and video repository,
• accidental publication of material in which faces or license plates were not blurred,
• loss of control over working copies exported for external processing.

If the material was effectively anonymized before the incident, the risk may be significantly lower or may not arise at all. However, this applies only where the anonymization is irreversible within a reasonably likely threat model. Partial low-quality blurring or defective masking does not automatically achieve that result.

The 72-Hour Deadline and the Moment of Becoming Aware of the Breach

The deadline under Article 33 GDPR runs from the moment the controller becomes aware of the breach, not from the moment the incident itself occurred. In its personal data breach notification guidelines, the European Data Protection Board states that a controller should be regarded as having become aware when it has a reasonable degree of certainty that a security incident has occurred which has led to personal data being compromised.

For video materials in practice, it is useful to distinguish between three timestamps:

If the full details are not available within 72 hours, the controller may submit an initial notification and provide the missing information later without undue delay.

Scope of a Video Data Breach Notification

The content of the notification follows directly from Article 33(3) GDPR. For incidents involving photos and video, both the legal and technical aspects must be described. A generic statement such as “recordings leaked” is not sufficient.

The notification should include at least:

• the nature of the breach – for example, unauthorized disclosure of MP4 and JPG files showing visible faces,
• the categories and approximate number of data subjects concerned,
• the categories and approximate number of personal data records concerned,
• the name and contact details of the data protection officer or another contact point,
• a description of the likely consequences for natural persons,
• a description of the measures taken or proposed to address the breach and mitigate its possible adverse effects.

For visual materials, it is worth specifying technical parameters because they affect the risk assessment. Relevant factors include resolution, recording length, number of cameras, the ability to read license plates, the presence of audio, geolocation, EXIF metadata, timestamps, copy retention, and the level of storage encryption.

Risk Assessment for Photos and Recordings Before Anonymization

A risk assessment cannot be abstract. Video footage often carries a greater identification risk than a single text record because it combines image, location context, time, and a sequence of behavior. This is especially true for recordings before faces and license plates have been blurred.

The following attributes are useful in the assessment:

Image processing environments often use AI models based on deep learning to detect faces and license plates, followed by blurring or masking algorithms. A detection model alone is not anonymization. It is only the object detection stage. The risk of a data breach decreases only after the mask has been applied correctly and the result has been verified. If unblurred faces or license plates remain before export, the material still contains personal data.

Organizational Practice and Measures to Mitigate the Effects of a Breach

A well-prepared data breach notification should show that the controller understands the source of the incident and has implemented remedial measures. In the photo and video area, these usually include access control, repository segmentation, encryption, retention controls, and procedures for verifying anonymization before publication or transfer of the material.

In practice, it is worth documenting:

• whether the material was processed locally in an on-premise environment or elsewhere,
• whether the files were encrypted at rest and in transit,
• whether access was granted in line with the principle of least privilege,
• whether quality control of face blurring and license plate blurring was performed,
• whether working copies and temporary exports were deleted or isolated,
• whether a data breach register was maintained in accordance with Article 33(5) GDPR.

Internal documentation has evidential value. Even where the controller concludes that notification to UODO is not required, it should be able to demonstrate the assessment process and the basis for that decision.

Legal and Interpretative References

The legal basis is found in the legislation and official guidance. For visual data, EU sources and the national practice of the supervisory authority are particularly important.

• Regulation (EU) 2016/679, Article 4(12), Article 33, Article 34, Recital 26 – European Parliament and Council, 2016.
• Article 29 Working Party Guidelines on Personal data breach notification under Regulation 2016/679, WP250 rev.01, adopted on 6 February 2018 and endorsed by the EDPB.
• EDPB Guidelines 01/2021 on Examples regarding Personal Data Breach Notification, version 2.0, adopted on 14 December 2021.
• Guidance materials and notification forms of the President of UODO concerning the notification of personal data breaches.