UAE Trends and Developments Contributed by: Kokila Alagh and Akshata Namjoshi, Karm Legal Consultants
If a company (controller) experiences a data breach, it must report the incident to the DIFC Commissioner without delay via the email com - missioner@dp.difc.ae or the DIFC website. Informing affected individuals The Commissioner may instruct the company to inform affected individuals (data subjects) or issue public announcement through email, let - ters or media outlets. Penalties for not reporting breaches Failure to notify the Commissioner or affected individuals when legally required may incur fines, sanctions or other legal consequences. Handling accidental possession of personal data If a business or individual accidentally gains access to someone else’s personal data, they are considered a temporary custodian and the following applies. • They must attempt to return or notify the rightful owner (Party B) within 30 days. • If Party B recovers the data, the custodian (Party A) must delete all copies. • If Party B is unidentifiable or unresponsive, Party A must: (a) inform the Commissioner and hand over the data; (b) explain how the data was acquired; and (c) delete all copies. Commissioner’s role in handling accidental data possession The Commissioner will assess the situation and may: • impose penalties on Party B; • instruct Party B to notify affected individuals; and
• order Party B to cover costs related to the data’s handling. ADGM DPR Reporting data breaches A company (controller) must report a personal data breach to the Commissioner of Data Pro - tection within 72 hours of becoming aware of it. If delayed, an explanation must be provided. If a breach occurs at a processor, they must imme - diately notify the controller. Report requirements The report to the Commissioner should include: • what happened – type of data breach and estimated number of affected individuals and records; • contact information – company’s DPO or responsible person; • potential risks – likely impact on affected individuals; and • corrective actions – measures taken to miti - gate the issue. Internal documentation Regarding communication of a breach, com - panies must keep records of all breaches, their impact and resolutions. If a high-risk breach could significantly affect individuals, they must be notified immediately about: • what happened; • possible consequences; • steps taken to fix the issue; and • how individuals can protect themselves. Exception to notification Notification is not required if: • the data was encrypted or otherwise secured, making it useless to unauthorised parties;
512 CHAMBERS.COM
Powered by FlippingBook