Must a company notify me after a data breach involving my personal data?
How the answer differs across 11 jurisdictions
CanadaFull article If a company in Canada suffers a data breach exposing your personal information, it must report the breach to the Office of the Privacy Commissioner of Canada and notify you if there's a real risk of significant harm.
AustraliaFull article Yes, if the breach is likely to result in serious harm to you, the company must notify you and the OAIC within 30 days under Australia’s Notifiable Data Breaches (NDB) scheme.
IrelandFull article If a data breach exposes your personal information in Ireland, the controller must notify the Data Protection Commission (DPC) within 72 hours and inform you without undue delay if the breach is likely to result in a high risk to your rights and freedoms.
SingaporeFull article Yes, organisations in Singapore must notify the PDPC of a data breach that poses a risk of significant harm to affected individuals or is likely to materially affect the public interest.
European UnionFull article Yes, under EU law, a company must notify you without undue delay if a data breach is likely to result in a high risk to your rights and freedoms.
IndiaFull article Under the Digital Personal Data Protection Act, 2023 (DPDPA), a data fiduciary must notify the Data Protection Board of India and affected individuals without undue delay upon becoming aware of a personal data breach that is likely to cause harm.
South KoreaFull article In South Korea, personal information controllers must notify the Personal Information Protection Commission (PIPC) and affected individuals without delay—within 72 hours of becoming aware of a data breach—if the breach poses a risk of harm.
Yes, you may be entitled to compensation for distress caused by a data breach in the UK, even without financial loss, if the breach resulted from a controller’s failure to comply with UK GDPR or the Data Protection Act 2018.
US-CaliforniaFull article If your personal data is breached, a company in California must notify you without unreasonable delay, generally within 45 days, and provide specific information about the breach, including what data was exposed and what the company is doing to fix it.
US-New YorkFull article Yes, New York law requires companies to notify you within a reasonable time after discovering a data breach involving your private information.
JapanFull article In Japan, businesses must report personal data breaches to the Personal Information Protection Commission (PPC) without delay if the breach poses a risk of harm to individuals’ rights or interests. Notification to affected individuals is also required in certain cases.
Read Full Articles
CanadaWhat happens if a company has a data breach that exposes my personal information?AustraliaA company suffered a data breach exposing my personal details. Are they required to notify me?IrelandA data breach exposed my information. What should happen?SingaporeMust a data breach be notified to the PDPC?European UnionA company suffered a data breach with my information. Must they tell me?IndiaWhat is a data breach notification obligation under DPDPA?South KoreaWhat is the obligation to notify about data breaches?
UKCan I get compensation for a data breach that caused me distress?US-CaliforniaWhat must a company do if my personal data is breached?US-New YorkDoes New York require companies to notify me if my data is breached?JapanWhat reporting duties for data breaches?Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: June 2026.