Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
The new Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) includes data breach notification obligations to supervisory authorities and individuals (Art. 9). Data Controllers are required to immediately inform the data protection authority, of any infringement or breach of personal data that would “prejudice the privacy, confidentiality and security of such data (Art. 9).” The period to inform the data protection authority is to be determined by the Executive Regulations.
Notice to the authority should include:
- the nature, form, causes, approximate number and records of the infringement or breach;
- the Data Protection Officer’s information;
- the potential and expected impact of the infringement or breach;
- procedures and measures taken or that will be taken to address the breach and mitigate any negative effects;
- documentation of the infringement or breach and the corrective actions taken; and,
- other requirements by the data protection authority.
In addition, employers and other controllers should notify data subjects and advise them of the procedures taken if the infringement or breach would prejudice the privacy, confidentiality or security of their personal data.
Under the Penal Code (Art. 456) individuals who conceal property derived from crime can be subject to the penalty for that crime.
Note that some free trade zones in the UAE, such as the Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM), have data breach notification requirements and have regulators specifically responsible for data protection.