Report a Breach Of Personal Data

There is an obligation, in certain circumstances, on organisations to file a report with the DPC. Use this form if you wish to contact us on behalf of an organisation to report a personal data breach* that has occurred in your organisation (or that you think may have occurred), in circumstances where you have determined that the breach presents a risk to the affected individuals.

You can also use this form to update a breach report that you have previously submitted to us. (Please have your BN reference number to hand when doing so).

Introductory questions

Are you notifying a personal data breach?*

A ‘personal data breach’ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. For further information regarding the obligation to notify personal data breaches to the Data Protection Commission, please see our guidance here

Note: If you are an electronic communications service or network provider and you wish to notify a personal data breach in accordance with S.I. 336 of 2011 only, please click here. If you are notifying a personal data breach in accordance with Article 33 of the GDPR or section 86 of the Data Protection Act 2018, you should continue with the notification form below.

You will be redirected to the DPC Contact page where you can raise your concern with the DPC

Type of notification*

You will now be redirected to the DPC Breach Update web-form

Before you complete this form
Please be advised that this personal data breach notification web-form must be completed in a single session. You are advised to consult the DPC's practical guide to personal data breach notifications under the GDPR, available here, prior to completing this notification.
 
Personal data breach notifications under Article 33 of the GDPR and section 86 of the Data Protection Act 2018 must be made without undue delay and, where feasible, not later than 72 hours after your organisation became aware of the personal data breach. However, if you do not have all required information regarding this breach at this point, you should submit an updated personal data breach notification providing any further information as required, without undue delay.

Is the personal data breach likely to result in a risk to the rights and freedoms of individuals*

Under the GDPR, an organisation is obliged to notify the DPC of any personal data breach that has occurred, unless they are able to demonstrate that the personal data breach is ‘unlikely to result in a risk to the rights and freedoms of natural persons’. This means that the default position for controllers is that all data breaches should be notified to the DPC, except for those where the controller has assessed the breach as being unlikely to present any risk to data subjects and the controller can show why they reached this conclusion. In any event, for all breaches – even those that are not notified to the DPC on the basis that they have been assessed as being unlikely to result in a risk – controllers must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response, as required by Article 33(5) GDPR and section 86(6) Data Protection Act 2018.
For further information, please see the guidance available here
If you are making a notification under section 86 of the Data Protection Act 2018, please also select 'Yes' below

You are not required to notify this personal data breach to the DPC. However, you must document this personal data breach, including the facts relating to the breach, its effects, and remedial action taken, as required by Article 33(5) of the GDPR.

Does this personal data breach notification relate to the processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, within the meaning of section 70 of the Data Protection Act 2018?*

Your Supervisory Authority

Are you notifying a breach that concerns cross-border processing of personal data?*

You are not required to notify this personal data breach to the DPC. However, you must document this personal data breach, including the facts relating to the breach, its effects, and remedial action taken, as required by Article 33(5) of the GDPR.

Please confirm if the organisation making this notification has designated in writing a representative in the EU as per Article 27 of the GDPR:*

Please note also that, where data subjects in other EU/EEA states are affected by this incident, you may be required to notify the data protection supervisory authorities of the states in which those data subjects are located. Please see here for the contact details of those authorities.

You are notifying a breach that concerns cross-border processing of personal data. Which of the following two options applies?*

Please indicate the EU Member States in which individuals are substantially affected or likely to be substantially affected*

Please indicate how individuals in other EU/EEA states are substantially affected or are likely to be substantially affected by the personal data breach*

As you are notifying a cross-border breach, is the Data Protection Commission competent to deal with your notification?

*

About You: Details of the data controller

Which sector does your organisation operate in? *

For an explanation of the industry sectors, please see here (page 325+ for classification).

About You: Details of the data processor

Details of processor organisation (if any) directly associated with this breach

About You: Contact point

Are you the DPO (Data Protection Officer)?*

Identification details of Data Protection Officer

Identification details of person notifying (if not the DPO)

*

*

*

I am contacting the DPC as a processor that has an agreement from a data controller to report a breach on its behalf*

I am the designated person to contact in relation to this personal data breach*

Details of the breach: Timeline of the incident

Do you know the date on which the breach initially occurred?*

Is the breach ongoing?*

A data controller is deemed as having become 'aware' of a personal data breach when it has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised. Data controllers are obliged to implement all appropriate measures to establish immediately whether a breach has taken place and to inform the supervisory authority promptly. For further guidance, please see here

How was the data controller made aware of the breach?*

Details of the breach: Type of breach

Please specify the cause of the Breach*

Details of the breach: About the breached data

Types of data affected by the breach*

Special categories of data*

Did the breached data include personal data related to criminal convictions or offences*

Actual or approximate number of data records*

Details of the breach: About the Data Subjects

Actual or approximate number of affected data subjects*

Were vulnerable individuals affected?*

Individuals can be vulnerable where circumstances may restrict their ability to freely consent or object to the processing of their personal data, or to understand its implications. Article 29 Guidelines cite the following examples of vulnerable data subjects: children, mentally ill persons, asylum seekers, the elderly, patients or employees (in certain circumstances) and where there is an imbalance in the relationship between the position of the data subject and the controller.

Details of the breach: Consequences of the breach

Action taken (Before/After)

Technical and organisational measures in place before the breach

Please provide details, where relevant, of:

  • Up-to-date ICT infrastructure and system, for example through state of the art encryption of data, configuration of managed services, implementation of latest patch level and regular system checking.
  • Secure and up-to-date backups.
  • Effective ICT infrastructure borders, including the filtering/blocking of bad actors, intrusion detection software, antivirus software and website security
  • Access and authentication measures, including permissions, password policies, access authorisation and off-boarding of accounts no longer required
  • Staff training and awareness
  • Incident response plans
  • Log retention schedules
  • Engagement/auditing of third-party providers

*

Mitigation Measures

*

Have you secured/retrieved/restored the breached data?*

*

Technical and organisational measures put in place following the breach

Communication to data subjects

Have you communicated the incident to affected data subjects?

What medium was used to communicate the incident to affected data subjects?*

*

If you wish to provide further information such as an anonymised copy of the communication that has been issued to affected individuals, please attach this document at the end of the form

*

Please outline your reason for not communicating the incident to data subjects?*

Upload supporting documents

If you wish to provide any further information or supporting documentation, please attach your documents here. For example, you may wish to provide copies of the following: anonymised copy of any communication that issued to affected data subjects informing them of this personal data breach, any incident report or internal report produced by your organisation in relation to this incident, your organisation’s record of processing activities or any further relevant information which you wish to include in your submission.
 
File extensions supported are: .zip, .7z, .rar, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rtf, .txt, .pdf, .bmp, .webp, .jpeg, .jpg, .png, .gif
Each file must not exceed 2 MB

Mandatory Declarations