Dubai International Financial Centre (DIFC)

Data Protection

DIFC Data Protection

The Data Protection Law prescribes rules and regulations regarding the collection, handling, disclosure and use of personal data in the DIFC, the rights of individuals to whom the personal data relates and the power of the Commissioner of Data Protection in performing their duties in respect of matters related to the processing of personal data as well as the administration and application of the Data Protection Law.

The Data Protection Law embodies international best practice standards, and is consistent with EU regulations and OECD guidelines and is designed to balance the legitimate needs of businesses and organizations to process personal information while upholding an individual’s right to privacy.

To help persons and businesses operating in the DIFC maintain compliance with the Data Protection Law, this site has been designed to provide a useful point of reference and guidance, as well as assist individuals who wish to find out more about the obligations and rights available to them under the Data Protection Law.

Data Protection Law

The Law prescribes rules and regulations regarding the collection, handling, and use of personal data in DIFC. The Law also offers protection to the rights of individuals on their personal data.

read more

Data Protection Regulations

A strict set of rules that are consistent with Data Protection Directive of the European Commission which ensures harmonisation of the data and financial penalties for non-compliance.

read more

Why Data Protection Matters

In an era of increased globalization and rapid advances in technology,information has never been more readily available and transmittable. Businesses and in particular, banking and financial organizations, are increasingly processing and exchanging individual data electronically and across borders.

Personal Data includes any information relating to an individual, usually by linking it to be able to identify a specific person. Biometric data, photos, even IP addresses can all be considered Personal Data in context. Sensitive personal data is that which is subjective or inherent to the person, such as ethnicity, religion or political or philosophical beliefs. The result of the processing and mishandling –voluntary or involuntary- of personal data can have significant consequences, including credit card and identity theft. It is crucial that individuals’ right to privacy is protected by establishing effective data protection laws and enforcing legal safeguards to secure and protect personal data and its processing.

Read More

Note On Privacy Shield As A Transfer Mechanism

Privacy Shield, which replaced Safe Harbor in 2016, is a mechanism recognised by the European Commission for transferring personal data between the EU/EEA and the USA only. The DIFC does not recognise it for this reason, as DIFC has no such agreement in place with the USA for transfers of personal data from the DIFC to the USA. Therefore Privacy Shield is not an option for transfers from the DIFC to the USA (or elsewhere). If personal data originating in the DIFC is transferred to the EU and the onward transferred to the USA, only then may Privacy Shield come into play if the transferring organisation has the appropriate Privacy Shield certification. Privacy Shield is currently under review for effectiveness.

For better web experience, please use the website in portrait mode