Personal Data Breach Reporting

Reporting Personal Data Breaches

Personal Data (PD) Breach Reporting obligations are a critical part of the DIFC Data Protection Law 2020  (DP Law 2020) and many data protection laws like it around the world.

Making an honest, objective assessment of a breach, whether to report it and then, where necessary, reporting it are all valuable parts of the security and risk evaluation process of a company. It also shows transparency and willingness of an organisation to do the right thing by self-reporting to any relevant regulators and even to individuals, if needed.

PLEASE NOTE: To report strictly IT-related security breaches, please refer to the Information Security page of the DIFC website and use the tool available there to report. It may be required to report a Personal Data breach as well as an IT / IS breach. Please determine the requirements accordingly.



Should I Notify the Commissioner of a Personal Data or Security Breach?

The DP Law 2020 Article 41 / 42 Personal Data Breach Self-Assessment is for organisations and businesses to determine whether perceived Personal Data breaches are notifiable and report them to us.

If your organisation has possibly suffered a Personal Data breach that is likely to cause anyone serious harm, you are legally required to notify us, possibly other DP regulators, and you may also be required to notify affected individuals without undue delay.


breach notification assessment


If you have already determined that a PD or security at your organisation is notifiable, or wish to notify us in any case, please complete the Breach Reporting Form below.

Here is a checklist of what information is required.



Submit a Personal Data Breach Report

Reporting a Personal Data breach is an important part of accountability and transparency, and in certain instances, it is a requirement under the DP Law 2020, Articles 41 and 42. If you have determined that your organization has suffered such a breach that is reportable to the DIFC Commissioner of Data Protection, please do so using this form. Note that it will be submitted to the DIFC Portal for notification to the Commissioner through case management.

If you determine that you are required under Article 42 to notify an individual data subject whose Peronal Data is involved in the breach, please do so separately as this form will not be shared with or reported to data subjects by the Commissioner's Office.

Breach Reporting Form


If your business or the business you are reporting for has a DIFC Commercial License or other DIFC authorization (i.e., commercial permission), please provide the relevant contact name and the entity’s CL Number

If you are reporting a breach but the breaching entity does not have a Commercial License or other DIFC authorization (i.e., commercial permission), please provide your name and contact telephone and / or email address (at least one must be provided):

Name *
Contact number
Please complete the following questions to report a Personal Data Breach in accordance with Article 41 or 42 of the DIFC DP Law 2020:

If the breach is likely to cause serious harm to affected people, have you notified them?

Why have you not notified the people affected?
What permitted exception(s) are you relying on to not notify the people affected at this time? Select all that apply
Are you relying on giving public notice to notify the people affected?
Why are you relying on giving public notice to notify the people affected?
Please provide as much detail as you can about why, when, how and in what medium you gave, or intend to give, public notice. Use the attachment field at the end of this form to upload a copy of your notice(s).
Number of people affected:
Type of personal information involved in the breach. Select all that apply. Click the down arrow again to select another value.
Type of breach. Select all that apply
Tell us what happened
Do you know where the information has gone?
Please provide any available details you wish to share:
How sensitive is the information that is involved in the breach?

Sensitive information can be, for example, about someone's health, political or religious beliefs, or financial information. Context is important. Information that is not sensitive in one situation might be very sensitive in another

Who has obtained or may obtain the information?

What types of harm may be caused to people affected by the breach? (For each type of harm you identified, please rate the likely impact you think it will have on any affected persons).

Discriminatory harm
Emotional harm
Employment harm
Financial harm
Identity theft
Loss of access to information
Loss of opportunity
Physical harm
Reputational harm
Threats of harm
No one
Don't know
How likely is it that someone will be harmed because of this breach?
What steps have been taken to reduce the risk of harm or further harm from this breach? Select that apply.
Are there security measures in place that protect the information from being accessed?
Please tell us if any of the following applies. (If anyone's life is in immediate danger, please contact the Police).

Is someone's physical safety in immediate danger?
Is someone's psychological safety at immediate risk?
Is someone at immediate risk of serious financial harm?
Were any other organisations affected by the breach?
Please name the other affected organisations and explain how they were affected.
Has the breach been reported to other authorities?
What authorities has the breach been reported to?
Please list any other privacy or data protection authorities, law enforcement or regulatory bodies that you have reported this data breach to. Provide as much detail as you can about why, when, how and by whom (e.g. by your organisation or an affected person).
Have you contacted any organisations that might be able to provide support to your organisation or people affected by the breach?Select all that apply
Please provide any other information you think may be relevant to the breach, or steps you have taken or intend to take in response. [Optional]
You can upload any attachments here (e.g. copy of any public notice if applicable). The total size limit is 10MB. [Optional]
You have 1 characters left.
Have you recently seen an advertisement for DIFC? *
How did you first hear about DIFC? *

If you need to update a Personal Data breach report you previously submitted to us, you can:

Email your update to: [email protected]

Or access your previous service request in the DIFC Client Portal. 


All data shared in the notification will be managed confidentially, and in accordance with the DIFC DP Law 2020 and the DIFC Online Data Protection Policy

For better web experience, please use the website in portrait mode