In case of a data breach, you need to inform the supervisory authority within 72 hours when the breach was found.

The notification has to consist of information what was stolen or lost, how the data was protected (ex. pseudonymisation) and how the breach may affect the persons, who’s data it was (Data Subjects in GDPR language). When the breach is severe, and it may affect persons with a high degree, then company needs to inform the possibly affected persons as well.