Established in 2004 by Federal and Dubai law, DIFC was the first jurisdiction in the GCC, that same year, to enact a data protection law and regulations. In 2007, the independent Office of the Commissioner of Data Protection was established. The current data protection law was enacted in May 2020.
Data Protection Law, DIFC Law No. 5 of 2020 ("DP Law 2020") embodies international best practice and is consistent with EU and UK data protection regulations, as well as with OECD guidelines. The DIFC Commissioner of Data Protection responsible for supervision and enforcement of the DP Law 2020 is Jacques Visser.
Quick links
To help businesses operating in DIFC comply with DP Law 2020, this site has been designed to provide guidance, tools, frameworks, and other helpful resources, as well as to assist individuals who wish to find out more about the obligations and rights available to them under the Data Protection Law. Topic specific sub-menus with extensive details and information are provided below. To help you find regularly requested information quickly, the following list contains links to the most commonly used resources:
Individual Rights & Redress - including information about submitting complaints to the Commissioner's Office
List of Adequate Data Protection Regimes (Article 26)
Model Clauses / Standard Contractual Clauses (Article 27(2)(c))
Article 28 Government Data Sharing compliance assessment
EDMRI and EDMRI+ due diligence assessment
Step by Step Guide to Notifying Commissioner of Processing
Personal Data Breach Reporting Form
Tools & Templates - including easy to use assessment tools for compliance with DP Law 2020
Data Protection Law
DP Law 2020 prescribes rules and obligations regarding the collection, handling, and use of personal data as well as rights and remedies for individuals who may be impacted by such processing. It is designed to balance the legitimate needs of businesses and organisations to process personal information with upholding an individual’s right to privacy. Due to the robust, comprehensive nature of the DIFC DP Law 2020, it is the only jurisdiction in the GCC or Middle East to be evaluated by the United Kingdom as one of six Data Bridge priority partners.
Data Protection regulations
The DIFC Data Protection Regulations 2020 set out the procedures and requirements for specific obligations in the DP Law 2020, including notifications to the Commissioner, fines and sanctions, and international data transfers.
Why data protection matters
In an era of increased globalisation and rapid advances in technology, information has never been more readily available and transmittable. Businesses and in particular, banking and financial organisations, are processing and exchanging individual data electronically and across borders in greater volumes every day.
Personal Data includes any information relating to a living individual, that specifically identifies him or her. Biometric data, photos, even IP addresses can all be considered Personal Data in context. Special Category Data is that which is subjective or inherent to the person, such as ethnicity, religion or political or philosophical beliefs.
The result of the processing and mishandling –voluntary or involuntary- of any type of Personal Data can have significant consequences, including exposure to risk relating to financial or other serious damages. It is crucial that individuals’ right to privacy is protected by establishing effective data protection laws and enforcing legal safeguards to secure and protect Personal Data and its processing.
