A personal data breach under GDPR Article 4(12) is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
This is broader than a "hack." It includes lost laptops, mistaken email recipients, ransomware that encrypts data without exfiltrating it, and accidentally publishing a dataset to a public S3 bucket.
The 72-hour rule
Article 33 requires the controller to notify the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects' rights and freedoms. The notification must include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed.
If the breach is high risk, Article 34 also requires notifying the affected data subjects directly, in clear and plain language, without undue delay.
The processor's role
Article 33(2) requires the processor to notify the controller without undue delay after becoming aware of a breach. This is critical because the controller's 72-hour clock starts when the controller becomes aware, which is typically the moment the processor tells them.
A vendor whose DPA promises notification "as soon as reasonably practicable" or "within a commercially reasonable timeframe" is giving themselves room that may put the controller out of compliance. A defined number — 24 hours, 48 hours, 72 hours — is much better. Many enterprise customers negotiate to 24 hours.
The subprocessor chain
The same notification chain runs through subprocessors: subprocessor notifies processor, processor notifies controller, controller notifies regulator. Each handoff adds delay. A subprocessor with a "without undue delay" clause and a processor with a "within 24 hours" clause may produce a controller notification timeline that doesn't actually fit inside 72 hours.
This is one of the things that makes the subprocessor list more than a curiosity: a new subprocessor added to the chain extends the breach-notification path.