Personal Data Breach Reporting

Reporting Personal Data Breaches

Personal Data (PD) Breach Reporting obligations are a critical part of the DIFC Data Protection Law 2020 (DP Law 2020) and many data protection laws like it around the world.

Making an honest, objective assessment of a breach, whether to report it and then, where necessary, reporting it are all valuable parts of the security and risk evaluation process of a company. It also shows transparency and willingness of an organisation to do the right thing by self-reporting to any relevant regulators and even to individuals, if needed.

PLEASE NOTE: To report strictly IT-related security breaches, please refer to the Information Security page of the DIFC website and use the tool available there to report. It may be required to report a Personal Data breach as well as an IT / IS breach. Please determine the requirements accordingly.


Should I Notify the Commissioner of a Personal Data or Security Breach?

The DP Law 2020 Article 41 / 42 Personal Data Breach Self-Assessment is for organisations and businesses to determine whether perceived Personal Data breaches are notifiable and report them to us.

If your organisation has possibly suffered a Personal Data breach that is likely to cause anyone serious harm, you are legally required to notify us, possibly other DP regulators, and you may also be required to notify affected individuals without undue delay.


If you have already determined that a PD or security at your organisation is notifiable, or wish to notify us in any case, please complete the Breach Reporting Form below.

Here is a checklist of what information is required.


Submit a Personal Data Breach Report

Reporting a Personal Data breach is an important part of accountability and transparency, and in certain instances, it is a requirement under the DP Law 2020, Articles 41 and 42. If you have determined that your organization has suffered such a breach that is reportable to the DIFC Commissioner of Data Protection, please do so using this form. Note that it will be submitted to the DIFC Portal for notification to the Commissioner through case management.

If you determine that you are required under Article 42 to notify an individual data subject whose Personal Data is involved in the breach, please do so separately as this form will not be shared with or reported to data subjects by the Commissioner's Office.

Breach Reporting Form
If your business or the business you are reporting for has a DIFC Commercial License or other DIFC authorization
If you are reporting a breach but the breaching entity does not have a Commercial License or other DIFC authorization (i.e., commercial permission), please provide your name and contact telephone and / or email address (at least one must be provided):
Contact number
Please complete the following questions to report a Personal Data Breach in accordance with Article 41 or 42 of the DIFC DP Law 2020:
If the breach is likely to cause serious harm to affected people, have you notified them?
How did you first hear about DIFC?
Have you recently seen an advertisement for DIFC?

If you need to update a Personal Data breach report you previously submitted to us, you can:

Email your update to:

Or access your previous service request in the DIFC Client Portal.

All data shared in the notification will be managed confidentially, and in accordance with the DIFC DP Law 2020 and the DIFC Online Data Protection Policy