Two types of data breaches must be notified to the CNPD:
Data breaches under the General Data Protection Regulation
Controllers shall notify data breaches to the CNPD within 72 hours after becoming aware of it if it is likely to result in a risk to the rights and freedoms of natural persons. In case of a high risk, the controller shall also communicate the personal data breach to the data subject without undue delay.
Data breaches in the electronic communications sector
In accordance with the European Commission regulation (EU) No. 611/2013 of 24 June 2013, which entered into force on 25 August 2013, providers of publicly available electronic communications services, such as fixed or mobile telephone companies or Internet service providers, must notify the CNPD within 24 hours after the detection of a personal data breach and inform their subscribers if the incident is likely to adversely affect their privacy and data protection.