In a case of a personal data breach the Controller shall without undue delay (no later than 72 hours after having become aware of it) notify the personal data breach to the supervisory authority.  If notification comes later than 72 hours then a detailed explanation for the delay must accompany that report.