Personal data controllers must report certain personal data breaches to a Supervisory Authority within 72 hours according to the GDPR.
Both a natural and legal person can be a personal data controller according to the GDPR. However, it is mostly a legal entity.
The principle of storage limitation from GDPR means that the personal data must be erased when they are no longer necessary for its purpose.
Anonymised information is not covered by the GDPR, because anonymised personal data relate to an identified or identifiable natural person.
There is a published guide from the European Data Protection Board (EDPB) which deals with the demarcation between Personal Data Controllers and Personal Data Processors.