Under the UAE PDPL, the data controller must notify the UAE Data Office of a personal-data breach within 72 hours of confirmed assessment [1].
What triggers the obligation:
- Any breach of confidentiality, integrity, or availability of personal data — for example, hacking, accidental disclosure, lost laptop, misdirected email, ransomware.
- The clock starts when the controller "becomes aware" of the breach to a reasonable degree of confirmation. Internal investigation time before that point is allowed but should be documented.
What the notification must include:
- Nature of the breach: categories of data, approximate number of data subjects, approximate volume of records.
- Likely consequences and risk assessment.
- Mitigation steps already taken or planned.
- DPO contact details for follow-up.
If the breach is "high risk" to data subjects' rights and freedoms, the controller must also notify each affected data subject without undue delay, in clear plain language, with steps the subject can take.
Processors (vendors handling data on the controller's behalf) must notify the controller without delay; the controller is then responsible for the regulator and data-subject notifications.
For breach response, retain a UAE-licensed data-protection lawyer or DPO advisor to coordinate.
Citations
More questions readers asked
Sub-questions our research cluster pulls together — each links to its full Tier-B/C answer.
+−Is consent always required to process my personal data under UAE PDPL?
No — consent is one of six lawful bases. Others: contract performance, legal obligation, vital interest, public interest, legitimate interest. Data subject rights apply regardless of basis.
This is general legal information, not legal advice. For advice tailored to your specific situation, consult a UAE-licensed lawyer.
Did this answer your question?