The term “without undue delay” in context of the GDPR - 1 day, 1 week, 1 month?

The GDPR mentions the term "without (undue) delay" in several places. Among others, the term can be found in Art. 5 (1) d GDPR, according to which data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In addition, Art. 12 (3) GDPR states that the requests of data subjects' rights must be executed without undue delay but in any event within one month of receipt of the request. Also, a processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions (Art. 28 (3) GDPR) and the notification of personal data breach to the supervisory authority must also, in principle, take place without undue delay (Art. 33 (1) GDPR). According to Art. 34 (1) GDPR, the controller shall communicate the personal data breach to the data subject without undue delay.

Since the GDPR is a legal norm under European law, the terms in it must be interpreted autonomously (ECJ, judgement of 10.01.1980 – C-69/79; ECJ, judgement of 07.02.1979 – C-11/76). Any definitions within the legislation of the Member States cannot be used as a congruent definition of the respective term under European law.

The case law of the European Court of Justice does not provide clear periods of time concerning the term “undue delay”. With regard to an implementing decision in another field of law, the ECJ found that the term "without undue delay" was not compatible with a time limit of several weeks or even, as in the present case, several months, given its customary meaning in everyday language (ECJ, judgment of 05.09.2019, C-443/18, recital 38). In a further judgment, the Court found that the use of the term “without undue delay” does not specify a precise time limit within which action should be taken. Although it requires prompt action, it leaves some room for interpretation (ECJ, judgment of 18.11.1999, C-151/98 P, recital 25).

Concerning Art. 34 (1) GDPR, the EDPB comments on the term in its WP 250 adopted by the Article 29 Working Party on the Guidelines on Personal data breach notification under Regulation 2016/679: The GDPR states that communication of a breach to individuals should be made “without undue delay,” which means as soon as possible (p. 20).

It is apparent that the term "without undue delay" requires a case-by-case analysis, taking into account the individual circumstances and conditions of each case, and is not subject to a hard conceptual definition that defines concrete absolute periods of time within which an action must take place.