Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 9
Reporting Personal Data Breach
- In addition to the obligations of the Controller stipulated in this Decree by Law, the Controller shall, at the time it becomes aware of the existence of any breach or violation of Personal Data of the Data Subject that would prejudice the privacy, confidentiality and security of data, notify the Bureau of such breach or violation and the investigation rights within the period and in accordance with the measures and requirements set by the Executive Regulations of this Decree by Law, provided that the reporting is accompanied by the following data and documents:
a. A description of the nature of the breach or violation, its form, causes, approximate number and records.
b. Details of the appointed Data Protection Officer.
c. Potential and expected effects of the breach or violation.
d. Corrective measures and actions taken or suggested by it to confront such violation and reduce its negative impacts.
e. Documents of the violation and corrective actions taken by it.
f. Any other requirements required by the Bureau - In all cases, the Controller shall notify the Data Subject in the event that the violation or breach would prejudice the privacy and confidentiality of the security of his/her Personal Data within the period and in accordance with the measures and requirements set by the Executive Regulations of this Decree by Law. It shall inform him/her of the measures taken by it
- If the Processor becomes aware ofany breach of Personal Data, it shall notify the Controller of such breach as soon as it becomes aware of the same. the Controller shall in turn inform the Bureau in accordance with Clause (1) of this Article.
- After receiving the notification from the Controller, the Bureau shall verify the reasons for the violation to ensure the integrity of the security measures taken, and impose the administrative penalties referred to in Article (26) of this Decree by Law in the event that a violation of its provisions and decisions issued in implementation of it is proven against the Controller or the Processor.