Competencies of the supervisory authority, in relation to the personal data breach notification
If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
Chapter IV, Section 2, Article 34, Paragraph 4
Regulation's subject matter
Communicating the personal data breach with the data subject (Article 34, Section 2, Chapter IV)