AEPD's Asesora Brecha: A Practical Tool for Article 33 GDPR Breach Notification Decisions

AEPD’s Asesora Brecha: A Practical Tool for Article 33 GDPR Breach Notification Decisions

One of the most time-sensitive obligations under the GDPR is the requirement for data controllers to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art. 33 para. 1 GDPR). In practice, making that determination quickly and correctly is not straightforward.

The Spanish Data Protection Authority (AEPD) has recently launched a free, guided assessment tool specifically designed for this purpose: Asesora Brecha.

What Is Asesora Brecha?

Asesora Brecha is a resource for any data controller processing personal data to assess the obligation to notify the AEPD about a personal data breach without undue delay, as required by Article 33 GDPR. Data Protection Officers (DPOs), processors, and consultants can also use it to support their assessment work for controllers.

The tool is free of charge. Once completed, all data entered during the session is deleted, so the AEPD has no access to the information provided. This makes it safe to use even for sensitive incident scenarios.

One important caveat: Asesora Brecha is an aid to decision-making, but the decision itself always rests with the data controller. Its use does not represent the AEPD’s position on any specific breach.

The AEPD also offers a companion tool, Comunica-Brecha RGPD, which helps controllers assess the separate obligation under Article 34 GDPR to communicate a breach directly to affected data subjects.

Why This Matters Right Now

The AEPD’s Annual Report 2025 (Memoria 2025) makes the stakes clear. Sanctioning and warning proceedings related to personal data breaches increased by 157% in 2025 compared to 2024; from 30 to 77 proceedings. Fines linked to breaches reached nearly EUR 20 million, representing 40% of the AEPD’s total sanctions for the year.

The AEPD has been explicit: many of these cases started with what looked like an isolated complaint and revealed systemic failures. Failure to notify, or late notification, is itself a sanctionable infraction (Art. 83 para. 4 lit. a GDPR).

The AEPD warns that notifying a breach to the supervisory authority does not automatically trigger an administrative procedure. Timely notification is treated as evidence of diligence, while failure to comply is classified as an infraction.

Who Should Use Asesora Brecha?

The tool is relevant for:

• Data controllers in any sector who need to make a fast, documented notification decision after discovering a breach
• DPOs supporting their organization’s incident response process
• Processors helping controllers understand their exposure and obligations
• Privacy consultants advising clients on breach response

It is particularly useful for organizations that handle breaches infrequently and lack an established internal decision framework.

Practical Recommendation

Do not wait for an incident to happen before using the tool. Run test scenarios in advance, especially for your highest-risk processing activities. This allows your incident response team to understand the logic of the assessment, identify gaps in your documentation practices, and reduce decision time under pressure.

Need help structuring your breach response process, or looking for ongoing data protection support? FIRST PRIVACY offers both on-demand consulting and external DPO services.