When is a controller required to notify the supervisory authority of a loss of personal information that could harm an individual?

The requirement for a controller to notify the supervisory authority about the loss of personal information that could potentially harm an individual is established in the General Data Protection Regulation (GDPR). The correct timeframe for this notification is within 72 hours after the controller becomes aware of the breach. This prompt reporting is crucial to enable the supervisory authority to assess the situation and take any necessary actions to protect the rights and freedoms of individuals.

This 72-hour window emphasizes the importance of quick action in data breach incidents, allowing for timely interventions that may mitigate harm to affected individuals. It also reinforces the accountability of data controllers in managing and protecting personal data effectively. The regulation encourages organizations to have proper incident response procedures in place to ensure they can identify and report data breaches rapidly.

Other options suggest longer timeframes or even the possibility of not notifying the supervisory authority, which does not align with the GDPR requirements. The specificity of a 72-hour notification requirement plays a significant role in maintaining the integrity and protective measures around personal data within the EU.