Dubai International Financial Centre (DIFC)

Transferring Personal Data Outside The DIFC

A transfer of personal data to a recipient located in a jurisdiction outside the DIFC may take place only if that jurisdiction is deemed to have an adequate level of protection for that personal data. The Commissioner of Data Protection applies the same adequacy standards with regards to third countries as set out by the European Commission.

LIST OF ADEQUATE DATA PROTECTION REGIMES/CENTERS EU COUNTRIES
  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Greece
  • Germany
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom
European Economic Area Member (EEA)Countries
  • Iceland
  • Liechtenstein
  • Norway
Other Countries and Jurisdictions
  • Andorra
  • Argentina
  • Abu Dhabi Global Market
  • Canada
  • Faroe Islands
  • Guernsey
  • Isle of Man
  • Japan
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay

Note On Privacy Shield As A Transfer Mechanism

Privacy Shield, which replaced Safe Harbor in 2016, is a mechanism recognised by the European Commission for transferring personal data between the EU/EEA and the USA only. The DIFC does not recognise it for this reason, as DIFC has no such agreement in place with the USA for transfers of personal data from the DIFC to the USA. Therefore Privacy Shield is not an option for transfers from the DIFC to the USA (or elsewhere). If personal data originating in the DIFC is transferred to the EU and the onward transferred to the USA, only then may Privacy Shield come into play if the transferring organisation has the appropriate Privacy Shield certification. Privacy Shield is currently under review for effectiveness.

UPDATE JULY 16, 2020: The Court of Justice of the European Union in its ruling in the Schrems II case has invalidated Privacy Shield as a legitimate transfer mechanism between the US and the EU / EEA. As DIFC has not permitted this transfer option per the note above, hopefully the impact on DIFC entities will be low. However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers, please consider reviewing the transfers made by your entity outside of the DIFC to ensure they are compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive guidance on DP Law 2020 as well as the Data Export assessment tool. Please note that any such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.

For better web experience, please use the website in portrait mode