Office of Data Protection
Personal data breach notifications
A personal data breach is any confirmed incident in which Personal Data has been lost, accessed and/or disclosed in an unauthorized fashion either accidentally or deliberately.
Under Section 9 (5) of ADGM’s Data Protection Regulations 2015, Data Controllers must inform the Registrar of personal data breaches not later than 72 hours after becoming aware of them.
Who must report the data breach
Data Controllers must inform the Registrar of a data breach. ‘Data Controller’ means any ADGM registered entity that alone or jointly with others determines the purposes and means of the processing of Personal Data. A representative of the Data Controller should make the notification to the ADGM Office of Data Protection on behalf of the Data Controller.
How to report a data breach
Reporting data breaches to the Registrar can be done via Online Registry Solution.
You must have authority over the entity on the system in order to report the breach.
Log into the Online Registry Solution.
Open the entity from your dashboard
Navigate to the Data Protection Screen of the entity registration details
Select the Data Protection Breaches Tab
Select the Notification of Breach button
Once selected, you will be prompted with a series of questions. Please provide as much detail as possible during this process, and click submit. To see the questions that will need to be responded to, please click here: Personal Data Breach Notification Questions.
The Office of Data Protection will review the notification and may contact you for clarification or further information. If the breach is relatively minor in terms of risk of harm to the Data Subjects whose data has been breached and/or you demonstrate that you are adequately implementing measures to mitigate the risk and prevent future occurrences, then it may result in no further action.
If you have questions or need any assistance, we're here to help.