Tick each step as you handle the incident. Capture the facts, the risk band, and the notification decisions. Print or save as PDF for your incident records. Built around Articles 33 & 34 GDPR and EDPB Guidelines 9/2022.
Tick each step as you complete it, capture the facts, and print a filled copy for your incident records. Articles 33 & 34 GDPR.
e.g. INC-2026-001
Response-team lead
Date or range
Stop the bleeding before you start documenting.
The supervisory authority will ask. Forensics need the same artefacts.
Land on a band — the band drives every subsequent decision.
Identity, contact, financial, health, special-category, etc.
Number and category
Discrimination · identity theft / fraud · financial loss · reputational damage · loss of professional-secrecy confidentiality · pseudonymisation reversal · loss of control · special-category or criminal data · vulnerable subjects (children) · large scale
Art. 33(1). Late filing is permitted with a documented reason — silence is not.
Case number / acknowledgement, when received
Art. 34(1). Plain language. Three Art. 34(3) exceptions may apply.
Required even when no notification was needed. Retain at least 5 years from closure.
The CookieSentry Breach Procedure ships with your legal name, the supervisory authority for your country, the response team with phone numbers, and the country-localised filing details — bilingual EN + DE/PL/LT, Word + PDF, ready for counsel.
The worksheet operationalises the procedure most EU data protection authorities expect to see when they audit a breach response: contain the incident, preserve evidence, assess the risk against Recital 75 factors, decide on notification, log the outcome. Each step you complete is autosaved to your browser (nothing is sent to any server), and the print output is a self-contained incident record you can hand to a DPO, counsel, or the supervisory authority on request.
The 3-band risk model is anchored to the statute directly. Low — unlikely to result in a risk; log only. Medium — likely to result in a risk; notify the supervisory authority within 72 hours under Article 33(1). High — likely to result in a high risk; also notify the affected subjects without undue delay under Article 34(1), unless an Article 34(3) exception applies (encryption rendering data unintelligible, mitigation already removing the high risk, or disproportionate effort). The worksheet captures the band you chose and the reasoning, which is exactly what an audit will ask to see.
For long-form coverage of every step — including five common scenarios walked through, the four mandatory contents of a supervisory-authority notification, and the three Article 34(3) exceptions in detail — read the full data breach response guide.
The CookieSentry Breach Procedure ships with your legal name, response team, country-specific supervisory authority, and the breach register schema (11 fields, Art. 33(5)) — plus 5 more GDPR documents. Bilingual EN with DE / PL / LT, Word and PDF export, ready for counsel redline.
Yes, fully free. No account, no email, no signup. Everything you type stays in your browser's local storage and never leaves your device. Print to PDF when you're done and the worksheet doubles as your incident record.
The worksheet is scenario-agnostic and tracks one specific incident — incident ID, dates, decisions, evidence. The CookieSentry Breach Procedure is your company's standing internal procedure: it names the response team, the supervisory authority for your country, the sub-processors to notify, the country-localised filing URLs, and ships in EN with DE/PL/LT bilingual options. You use the procedure to set up; you fill the worksheet during an incident.
Yes — that is the intended use. The print output is a clean, paginated PDF (no nav, no marketing, no buttons) that reads as a self-contained incident record. Email it, drop it in the case folder, share with counsel.
It is not a substitute for your standing procedure or your breach register, but a completed worksheet is a strong contemporaneous record of how you assessed and handled an incident. Combined with the formal Breach Register entry (Article 33(5)) and any notification correspondence, it is exactly the documentation an authority would expect to see.
Everything autosaves to your browser as you type. Close the tab, come back tomorrow on the same browser, and your work is still there. There is no server, no account, no syncing — which means you cannot access the worksheet from a different device. For team-shared records, use the standing breach register in the company's own system.
Germany: the Landesdatenschutzbeauftragte of the Bundesland in which your company is registered (each Land has its own online notification form). Poland: UODO at uodo.gov.pl. Lithuania: VDAI at vdai.lrv.lt. The CookieSentry Breach Procedure document configures the right authority and filing URL for your country automatically.
Privacy Policy, Cookie Policy, Data Retention, Breach Procedure, DPA, ROPA — all generated against your company, your country's supervisory authority, and your actual processing activities. Counsel-redlinable Word and PDF, EN with DE / PL / LT bilingual. Pay only after you preview every document.
Start the wizardThis worksheet is a practical tool, not legal advice. The application of GDPR Articles 33 and 34 to a specific incident depends on facts only counsel familiar with your jurisdiction can assess. Use the worksheet as a contemporaneous record of your response and supplement it with formal counsel review before filing notifications for high-risk processing.