DIFC Data Protection
The Data Protection Law prescribes rules and regulations regarding the collection, handling, disclosure and use of personal data in the DIFC, the rights of individuals to whom the personal data relates and the power of the Commissioner of Data Protection in performing their duties in respect of matters related to the processing of personal data as well as the administration and application of the Data Protection Law.
The Data Protection Law embodies international best practice standards, and is consistent with EU regulations and OECD guidelines and is designed to balance the legitimate needs of businesses and organizations to process personal information while upholding an individual’s right to privacy.
To help persons and businesses operating in the DIFC maintain compliance with the Data Protection Law, this site has been designed to provide a useful point of reference and guidance, as well as assist individuals who wish to find out more about the obligations and rights available to them under the Data Protection Law.
Data Protection Law
The Law prescribes rules and regulations regarding the collection, handling, and use of personal data in DIFC. The Law also offers protection to the rights of individuals on their personal data.Read more
Data Protection Regulations
A strict set of rules that are consistent with Data Protection Directive of the European Commission which ensures harmonisation of the data and financial penalties for non-compliance.Read more
Why Data Protection Matters
In an era of increased globalization and rapid advances in technology,information has never been more readily available and transmittable. Businesses and in particular, banking and financial organizations, are increasingly processing and exchanging individual data electronically and across borders.
Personal Data includes any information relating to an individual, usually by linking it to be able to identify a specific person. Biometric data, photos, even IP addresses can all be considered Personal Data in context. Sensitive personal data is that which is subjective or inherent to the person, such as ethnicity, religion or political or philosophical beliefs. The result of the processing and mishandling –voluntary or involuntary- of personal data can have significant consequences, including credit card and identity theft. It is crucial that individuals’ right to privacy is protected by establishing effective data protection laws and enforcing legal safeguards to secure and protect personal data and its processing.Read more
Note On Privacy Shield As A Transfer Mechanism
Privacy Shield, which replaced Safe Harbor in 2016, is a mechanism recognised by the European Commission for transferring personal data between the EU/EEA and the USA only. The DIFC does not recognise it for this reason, as DIFC has no such agreement in place with the USA for transfers of personal data from the DIFC to the USA. Therefore Privacy Shield is not an option for transfers from the DIFC to the USA (or elsewhere). If personal data originating in the DIFC is transferred to the EU and the onward transferred to the USA, only then may Privacy Shield come into play if the transferring organisation has the appropriate Privacy Shield certification. Privacy Shield is currently under review for effectiveness.
UPDATE JULY 16, 2020: The Court of Justice of the European Union in its ruling in the Schrems II case has invalidated Privacy Shield as a legitimate transfer mechanism between the US and the EU / EEA. As DIFC has not permitted this transfer option per the note above, hopefully the impact on DIFC entities will be low. However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers, please consider reviewing the transfers made by your entity outside of the DIFC to ensure they are compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive guidance on DP Law 2020 as well as the Data Export assessment tool. Please note that any such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.