DIFC
  • Stay up-to-date with DIFC’s response to Covid-19
  • Read more

Accountability & Data Subjects’ Rights

Taking responsibility for ethical management of Personal Data, and being transparent about how your organisation protects people’s rights results in better overall compliance and creates a competitive edge based on developing and keeping people’s trust.

Furthermore, if something does go wrong while your organisation is the custodian of a person’s identifiable information, accountability means showing that you actively considered the risks and put in place measures and safeguards to mitigate these risks. By doing so, you are also protecting your organisation against potential enforcement action.

Lastly, this commitment is a good example to other organisations you deal with about how they should ethically and responsibly manage Personal Data in order to work with your business. On the other hand, if you can’t show good data protection practices, it may leave you open to breaking the trust you have built, as well as possibly incurring fines and reputational damage.

Accountability Tools


Applicability Assessment Tool – Does the DIFC DP Law 2020 apply to my entity?

View tool


High Risk Processing Assessment Tool – Do I conduct HRP?

View tool


DPO Assessment Tool – Do I need to appoint a DPO?

View tool

DP Maturity Assessment tool – Please note, this tool is provided by a third party. The Maturity Assessment tool provides a overall view of your entity’s current DP compliance, where you would like it to be and recommendations about how to achieve it. Please note clicking this link will take you to a third party website, where you will be required to create a user account. Registration is free. The third party provider is subject to the DIFC DP Law 2020 and other DP laws. Please review their privacy policy to understand how they process personal data and assurance of individual rights.
 

Individuals’ / Data Subjects’ Rights

Individual Rights and Remedies: The table in this document contains information consolidated from the DP Law 2020 in order to highlight which individuals’ rights are supported, the obligations of Controllers and Processors in managing them, and what remedies are available to individuals, including compensation and damages, for non-compliance with these requirements.
 

RESOLVING ISSUES IMPACTING PRIVACY RIGHTS IN THE DIFC

If you believe your rights under the DIFC DP Law 2020 have been breached or there may be a high risk to your ability to exercise them, please contact the business or organisation directly to try and work it out. Most businesses and organisations will want to help you resolve your issue quickly, before it comes to the Commissioner's office. Your rights and remedies, including the option to make a complaint or request mediation, are set out in the Individual Rights and Remedies table above.

 

TIPS FOR RAISING ISSUES DIRECLTY WITH THE COMPANY OR ORGANISATION

Here are some tips for making a complaint to a business or other organization directly, in order for you resolve a privacy concern:

  • Evaluate the nature and timeliness of your issue before you proceed.  If there is low risk of harm / no harm caused or some time has passed between the event (i.e., non-response to an access claim, or other similar causes of risk to your rights) and your complaint to the company or to our office, it may reflect on the decisions by the company or the Commissioner’s Office to respond to or take up your complaint or agree to mediate (in the case of the Commissioner’s Office)

  • Review the Commissioner’s guidance entitled Individuals’ Rights to Access and Control DIFC Personal Data Processing, available on the Guidance page of the DIFC DP website. This sets out what rights you have and how you may exercise them, how they differ from other options for recourse (i.e., subject access request vs discovery in a court proceeding), how companies may respond (including exemptions and special issues they may consider, such as when requests are manifestly unfounded or excessive, in particular because of their repetitive character), and how long companies have to respond (normally 30 days).

  • If you decide to go ahead with your request or complaint, please check the DIFC Public Register for the correct company name and commercial license number in case you need it for any communications with them or with the DIFC Commissioner’s Office

  • Contact the company or organisation through official details provided on the company website (if one exists) or provided by other means.  Under Article 40 of the DP Law 2020, they must provide at least 2 means of contact for such matters. Please note, the DIFC Commissioner’s Office will not necessarily have these details and may not necessarily be required to provide them. However, if the details are incorrect or they are not available at all for this purpose, please let us know. 

  • Organisations should be encouraged to use the DIFC Individuals' Rights Response Assessment tool for guidance about their response to any requests you make.

If you have made a request to access or correct your information, the business or organisation has one month to respond, unless additional time is required to respond to particularly complex or numerous requests. Please see the Article 33 of the DP Law 2020, as well as Schedule 1, Article 1 (and any applicable amendments) to determine the meaning of these timing requirements.  

You can get in touch with our office for help if you are not happy with their response. 

 

TIPS AND TOOLS FOR COMPANIES OR ORGANISATIONS RESPONDING TO INDIVIDUAL REQUESTS

Responding to a request from an individual seeking to understand what data is being processed about them is something any business may have to do at some time. These requests are known as subject access requests or SARs, or may also be a request to exercise rights such as that of erasure, portability, etc. – found primarily in Articles 32 to 40 of the DP Law 2020. Knowing whether you have received such a request is half the effort, and then properly responding is of vital importance.

Please use this tool to assess whether your business has received such a request and how to respond.

Rights Response Assessment

 

Data Protection Templates

These templates will assist in ensuring accountability for processing activities. These templates are only provided for guidance and format purposes. Provision of them is not to be construed as legal advice. Legal consultants or other duly designated persons acting for the entity may revise, add or remove anything in these templates as appropriate, and the entity remains responsible for its own compliance with DP Law 2020 when using them as a basis for their own purposes.

Sample Article 28(1) MOU (written assurances)

VIew File

Sample DP Internal Policy

VIew File


Sample Online DP Notice

View File


Sample Record of Processing Activities

View File


Compliance Checklist and DPIA

View file


Sample DPO Annual Assessment

View file


Sample DPO Job Description

View file

For better web experience, please use the website in portrait mode