DIFC
  • Stay up-to-date with DIFC’s responses to COVID19
  • Read more

Transferring Personal Data Outside The DIFC

A transfer of personal data to a recipient located in a jurisdiction outside the DIFC may take place only if that jurisdiction is deemed to have an adequate level of protection for that personal data. The Commissioner of Data Protection applies adequacy standards based largely on prevailing international best practices and extensive practical application and methodology development.

You can use this export assessment tool to help understand your entity’s obligations regarding international data transfers.

Export Assessment Tool


Model Clauses for Data Export to Non-adequate jurisdictions:

Please note: these are not the standard contractual clauses referred to in Article 24(8) of DP Law 2020. The Commissioner’s Office has not yet published such clauses for including in contracts, but may do so in the future. Generally, at this time please ensure the content of any such written agreement contains clauses sufficient to discharge the obligations in Articles 24(5)(b)(i) to 24(5)(b)(x). The Model Clauses below are based on those used in Europe and the UK to provide additional safeguards in accordance with DP Law 2020 Article 27(2)(c) and as prescribed in Regulation 5 of the DP Regulations.

To a non-DIFC Controller

For sharing data in such manner between a DIFC Controller and a non-DIFC Controller

VIew File

To a non-DIFC Processor

For sharing data in such manner between a DIFC Controller and a non-DIFC Processor

VIew File



LIST OF ADEQUATE DATA PROTECTION REGIMES/CENTERS

EU COUNTRIES
  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Greece
  • Germany
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
European Economic Area Member (EEA)Countries
  • Iceland
  • Liechtenstein
  • Norway
Other Countries and Jurisdictions
  • Andorra
  • Argentina
  • Abu Dhabi Global Market
  • Canada
  • Faroe Islands
  • Guernsey
  • Isle of Man
  • Israel 
  • Japan
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay  
  • United Kingdom

 

On June 27, 2021, the DIFC Data Protection Commissioner’s Office issued a letter analyzing the impact of DIFC data protection law on transfers to the United States Securities and Exchange Commission (SEC) of personal data from DIFC-based firms or branches that are registered, required to be registered, or otherwise regulated by the SEC (“DIFC-based SEC firms”), such as DFSA regulated entities. While this is not an adequacy decision, it permits such transfers and may be accessed by such DIFC-based SEC firms as needed in order to lawfully share Personal Data in this context. 


APPROVED BINDING CORPORATE RULES  

Company Name Registered Number Binding Corporate Rules (website) DFSA Status
Cisco Capital (Dubai) Limited 779 Pending Regulated
Citigroup Global Markets Limited 221 Pending Regulated
EY MENA Services Ltd 3022 Pending Non-regulated
Hyatt International – South West Asia Limited 501 Pending Non-regulated
Novelis MEA Ltd 1278 Pending Non-regulated
RGA Reinsurance Company Middle East Limited 221 Binding Corporate Rules (rgare.com) Regulated
Note On Privacy Shield As A Transfer Mechanism

UPDATE JULY 16, 2020: The Court of Justice of the European Union in its ruling in the Schrems II case has invalidated Privacy Shield as a legitimate transfer mechanism between the US and the EU / EEA. As DIFC has not permitted this transfer option per the note above, hopefully the impact on DIFC entities will be low.  However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers, please consider reviewing the transfers made by your entity outside of the DIFC to ensure they are compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive guidance on DP Law 2020 as well as the Data Export assessment tool.  Please note that any such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.

 

NON-LEGISLATIVE DATA PROTECTION CONSULTATION ON UPDATED PROPOSED DIFC DATA EXPORT AND SHARING MATERIALS – ENDED SEPTEMBER 30, 2021

For better web experience, please use the website in portrait mode