Accountability & Data Subjects’ Rights
Taking responsibility for ethical management of Personal Data, and being transparent about how your organisation protects people’s rights results in better overall compliance and creates a competitive edge based on developing and keeping people’s trust.
Furthermore, if something does go wrong while your organisation is the custodian of a person’s identifiable information, accountability means showing that you actively considered the risks and put in place measures and safeguards to mitigate these risks. By doing so, you are also protecting your organisation against potential enforcement action.
Lastly, this commitment is a good example to other organisations you deal with about how they should ethically and responsibly manage Personal Data in order to work with your business. On the other hand, if you can’t show good data protection practices, it may leave you open to breaking the trust you have built, as well as possibly incurring fines and reputational damage.
Applicability Assessment Tool – Does the DIFC DP Law 2020 apply to my entity?
High Risk Processing Assessment Tool – Do I conduct HRP?
DPO Assessment Tool – Do I need to appoint a DPO?
DP Assessment Tool - Privacy Notices (Articles 29 & 30)
Click the button below to access the Data Protection Maturity Assessment tool. This tool provides a overall view of your entity’s current DP compliance, where you would like it to be and recommendations about how to achieve it.
Individuals’ Rights and Redress
The rights of individuals, commonly known in Data Protection law as Data Subjects, are the most important consideration in any organisation's accountbility framework. Enforcement action is much more severe where such rights have been unlawfully limited or restricted, and / or where redress is not sufficiently provided.
For support understanding the requirements on rights and remedies set out in DP Law 2020, please click the button below to view a table that highlights:
- which individuals’ rights are supported;
- the obligations of Controllers and Processors in managing them; and
- remedies available to individuals, including compensation and damages, for non-compliance with these requirements.
RESOLVING ISSUES IMPACTING PRIVACY RIGHTS IN THE DIFC
If you believe your rights under the DIFC DP Law 2020 have been breached or there may be a high risk to your ability to exercise them, please contact the business or organisation directly to try and work it out. Most businesses and organisations will want to help you resolve your issue quickly, before it comes to the Commissioner's office. Your rights and remedies, including the option to make a complaint or request mediation, are set out in the Individual Rights and Remedies table above.
TIPS FOR RAISING ISSUES DIRECLTY WITH THE COMPANY OR ORGANISATION
Here are some tips for making a complaint to a business or other organization directly, in order for you resolve a privacy concern:
Evaluate the nature and timeliness of your issue before you proceed. If there is low risk of harm / no harm caused or some time has passed between the event (i.e., non-response to an access claim, or other similar causes of risk to your rights) and your complaint to the company or to our office, it may reflect on the decisions by the company or the Commissioner’s Office to respond to or take up your complaint or agree to mediate (in the case of the Commissioner’s Office)
Review the Commissioner’s guidance entitled Individuals’ Rights to Access and Control DIFC Personal Data Processing, available on the Guidance page of the DIFC DP website. This sets out what rights you have and how you may exercise them, how they differ from other options for recourse (i.e., subject access request vs discovery in a court proceeding), how companies may respond (including exemptions and special issues they may consider, such as when requests are manifestly unfounded or excessive, in particular because of their repetitive character), and how long companies have to respond (normally 30 days).
If you decide to go ahead with your request or complaint, please check the DIFC Public Register for the correct company name and commercial license number in case you need it for any communications with them or with the DIFC Commissioner’s Office
Contact the company or organisation through official details provided on the company website (if one exists) or provided by other means. Under Article 40 of the DP Law 2020, they must provide at least 2 means of contact for such matters. Please note, the DIFC Commissioner’s Office will not necessarily have these details and may not necessarily be required to provide them. However, if the details are incorrect or they are not available at all for this purpose, please let us know.
Organisations should be encouraged to use the DIFC Individuals' Rights Response Assessment tool for guidance about their response to any requests you make.
If you have made a request to access or correct your information, the business or organisation has one month to respond, unless additional time is required to respond to particularly complex or numerous requests. Please see the Article 33 of the DP Law 2020, as well as Schedule 1, Article 1 (and any applicable amendments) to determine the meaning of these timing requirements.
You can get in touch with our office for help if you are not happy with their response.
TIPS AND TOOLS FOR COMPANIES OR ORGANISATIONS RESPONDING TO INDIVIDUAL REQUESTS
Responding to a request from an individual seeking to understand what data is being processed about them is something any business may have to do at some time. These requests are known as subject access requests or SARs, or may also be a request to exercise rights such as that of erasure, portability, etc. – found primarily in Articles 32 to 40 of the DP Law 2020. Knowing whether you have received such a request is half the effort, and then properly responding is of vital importance.
Please use this tool to assess whether your business has received such a request and how to respond.Rights Response Assessment
Data Protection Templates
These templates will assist in ensuring accountability for processing activities. These templates are provided only for guidance and format purposes. Provision / content of these templates is not to be construed as legal advice.
Legal consultants or other duly designated persons acting for the entity may revise, add or remove anything in these templates as appropriate, and the entity remains responsible for its own compliance with DP Law 2020 when using them as a basis for their own purposes.
Sample Government Data Sharing MOU (Article 28 - written assurances)VIew File
Sample Government Data Sharing Policy (Article 28)VIew File
Sample Compliance Checklist and DPIA (Part 2D and Article 20)
Sample Record of Processing Activities (ROPA) (Article 15)
Sample DPO Job Description (Articles 16 to 18)
Sample DPO Annual Assessment (Article 19)