top of page


Please note Engaged Tracking (ET) Index is now trading as Urgentem. 


  1. Scope

    1. This procedure applies in the event of a personal data breach under Article 33 of the GDPR – Notification of a personal data breach to the supervisory authority – and Article 34 – Communication of a personal data breach to the data subject.

    2. The GDPR draws a distinction between a ‘data controller’ and a ‘data processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. Each organisation should establish whether it is data controller, or a data processor for the same data processing activity; or whether it is a joint controller.


  1. Responsibility

    1. All users (whether Employees/Staff, contractors or temporary Employees/Staff and third party users) of Urgentem. are required to be aware of, and to follow this procedure in the event of a personal data breach.

    2. All Employees/Staff, contractors or temporary personnel are responsible for reporting any personal data breach to the Data Protection Officer.


  1. Procedure – Breach notification data controller to supervisory authority

    1. Urgentem. determines if the supervisory authority need to be notified in the event of a breach.

    2. Urgentem. assesses whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach, by conducting regular impact assessments (including data breach).

    3. If a risk to data subject(s) is likely, Urgentem. reports the personal data breach to the supervisory authority (in the UK it is the ICO) without undue delay, and not later than 72 hours.

    4. If the data breach notification to the supervisory authority is not made within 72 hours, Urgentem.’s Data Protection Officer submits it electronically with a justification for the delay.

    5. If it is not possible to provide all the necessary information at the same time Urgentem. will provide the information in phases without undue further delay.

    6. The following information needs to be provided to the supervisory authority:

      1. A description of the nature of the breach.

      2. The categories of personal data affected.

      3. Approximate number of data subjects affected.

      4. Approximate number of personal data records affected.

      5. Name and contact details of the Data Protection Officer.

      6. Consequences of the breach.

      7. Any measures taken to address the breach.

      8. Any information relating to the data breach.

    7. The Data Protection Officer notifies the supervisory authority, the ICO.

    8. In the event the supervisory authority assigns a specific contact in relation to a breach, these details are recorded in the Internal Breach Register.

    9. The breach notification is made by our DPO.


  1. Procedure – Breach notification data controller to data subject

    1. If the personal data breach is likely to result in high risk to the rights and freedoms of the data subject, Urgentem. notifies those/the data subjects affected immediately.

    2. The notification to the data subject describes the breach in clear and plain language, in addition to information specified in clause 3.6 above.

    3. Urgentem. takes measures to render the personal data unusable to any person who is not authorised to access it using (we use encryption).

    4. The data controller takes subsequent measures to ensure that any risks to the rights and freedoms of the data subjects are no longer likely to occur.

    5. If the breach affects a high volume of data subjects and personal data records, Urgentem. makes a decision based on assessment of the amount of effort involved in notifying each data subject individually, and whether it will hinder the Urgentem.’s ability to appropriately provide the notification within the specified time frame. In such a scenario a public communication or similar measure informs those affected in an equally effective manner.

    6. If Urgentem. has not notified the data subject(s), and the supervisory authority considers the likelihood of a data breach will result in high risk, Urgentem. will communicate the data breach to the data subject.

    7. Urgentem. documents any personal data breach(es), incorporating the facts relating to the personal data breach, its effects and the remedial action(s) taken.

bottom of page