Data Protection

Data Protection in the DIFC

Established in 2004 by Federal and Dubai law, the DIFC was the first jurisdiction in the GCC, that same year, to enact a data protection law and regulations. In 2007, the independent Office of the Commissioner of Data Protection was established.  The current data protection law was enacted in May 2020.  

Data Protection Law, DIFC Law No. 5 of 2020 embodies international best practice, and is consistent with EU and UK data protection regulations, as well as with OECD guidelines.  The DIFC Commissioner of Data Protection responsible for supervision and enforcement of the DP Law 2020 is Jacques Visser.


Quick Links

To help businesses operating in the DIFC comply with DP Law 2020, this site has been designed to provide guidance, tools, frameworks, and other helpful resources, as well as to assist individuals who wish to find out more about the obligations and rights available to them under the Data Protection Law.  Topic specific sub-menus with extensive details and information are provided below.  To help you find regularly requested information quickly, the following list contains links to the most commonly used resources: 


Individual Rights & Redress - including information about submitting complaints to the Commissioner's Office

List of Adequate Data Protection Regimes (Article 26)

Model Clauses / Standard Contractual Clauses (Article 27(2)(c))

Article 28 Government Data Sharing compliance assessment 

EDMRI and EDMRI+ due diligence assessment

Step by Step Guide to Notifying Commissioner of Processing

Personal Data Breach Reporting Form

Frequently Asked Questions

Tools & Templates - including easy to use assessment tools for compliance with DP Law 2020


Data Protection Law

Data Protection Law, DIFC Law No 5 of 2020 ("DP Law 2020") prescribes rules and obligations regarding the collection, handling, and use of Personal Data as well as rights and remedies for individuals who may be impacted by such processing. It is designed to balance the legitimate needs of businesses and organizations to process personal information with upholding an individual’s right to privacy.  Due to the robust, comprehensive nature of the DIFC DP Law 2020, it is the only jurisdiction in the GCC or Middle East to be evaluated by the United Kingdom as one of six Data Bridge priority partners.   

Read more

Data Protection Regulations

The DIFC Data Protection Regulations 2020 set out the procedures and requirements for specific obligations in the DP Law 2020, including notifications to the Commissioner, fines and sanctions, and international data transfers.

Read more

Why Data Protection Matters

In an era of increased globalization and rapid advances in technology, information has never been more readily available and transmittable. Businesses and in particular, banking and financial organizations, are processing and exchanging individual data electronically and across borders in greater volumes every day. 

Personal Data includes any information relating to a living individual, that specifically indentifies him or her. Biometric data, photos, even IP addresses can all be considered Personal Data in context.  Special Cateogry Data is that which is subjective or inherent to the person, such as ethnicity, religion or political or philosophical beliefs. 

The result of the processing and mishandling –voluntary or involuntary- of any type of Personal Data can have significant consequences, including exposure to risk relating to financial or other serious damages. It is crucial that individuals’ right to privacy is protected by establishing effective data protection laws and enforcing legal safeguards to secure and protect Personal Data and its processing. 

Read more

For better web experience, please use the website in portrait mode