Exporting Personal Data Outside DIFC
In accordance with Article 26 of the DP Law 2020, a transfer of Personal Data to a recipient located in a jurisdiction outside the DIFC may take place only if that jurisdiction is deemed to have an adequate level of protection for that Personal Data. The Commissioner of Data Protection applies adequacy standards based largely on prevailing international best practices and extensive practical application and methodology development.
There are exceptions, however, which are set out in Article 27 of the DP Law 2020, including transfers supported by additional contractual clauses, certain internal data protection policies and processes, or specific derogations in limited circumstances.
Article 28 covers data sharing with goverment authorities, including law enforcement agencies. Obligations regarding 1) written assurances for handling personal data in line with the DIFC DP Law 2020 or 2) a self-assessment of risk, necessity and proportionality around such sharing are set out in Article 28(1) and Article 28(2), respectively.
This sample Article 28 MOU template sufficiently addresses one method of obtaining written assurances as stated in Article 28(1) is available for download. Please consider using it to respond to government data sharing requests in your business or organisation. This and other methods to comply with Article 28(1) or 28(2) are discussed in the DIFC Data Export & Sharing Handbook.
Please review the Handbook to understand how to approach transfers of Personal Data outside of the DIFC. You can also use this export assessment tool to help understand your entity’s obligations regarding international data transfers.
MODEL CLAUSES FOR DATA EXPORT TO IMPORTERS IN NON-ADEQUATE JURISDICTIONS
The DIFC Standard Contractual Clauses (DIFC SCCs) at the "VIEW FILE" link below are based on a combination of those used in Europe and the UK, for ease of use across as many jurisdictions as possible. They provide additional safeguards in accordance with DP Law 2020, Article 27(2)(c) and as prescribed in Regulation 5 of the DIFC DP Regulations 2020.
The IDTA / EU SCCs Modules comparison table is available for your to review at this link.
Please note: these are not the standard clauses referred to in Article 24(8) of the DP Law 2020. The Commissioner’s Office has not yet published such clauses, but may do so in the future. Generally, at this time please ensure the content of any such written agreement contains clauses sufficient to discharge the obligations set out in Articles 24(5)(b)(i) and 24(5)(b)(x).
DIFC ADEQUACY DECISION PROCESS &
LIST OF ADEQUATE DATA PROTECTION REGIMES
The Commissioner’s assessment criteria for determining adequacy recognition of a Third Country or International Organisation is provided in the following documents:
- Czech Republic
European Economic Area Member (EEA)Countries
Other Countries and Jurisdictions
- Faroe Islands
- Isle of Man
- New Zealand
- Republic of Korea
On June 27, 2021, the DIFC Data Protection Commissioner’s Office issued a letter analyzing the impact of DIFC data protection law on transfers to the United States Securities and Exchange Commission (SEC) of Personal Data from DIFC-based firms or branches that are registered, required to be registered, or otherwise regulated by the SEC (“DIFC-based SEC firms”), such as DFSA regulated entities. While this is not an adequacy decision, it permits such transfers and may be accessed by such DIFC-based SEC firms as needed in order to lawfully share Personal Data in this context.
APPROVED BINDING CORPORATE RULES
|Company Name||Registered Number||Binding Corporate Rules (website)||DFSA Status|
|Cisco Capital (Dubai) Limited||779||Pending||Regulated|
|Citigroup Global Markets Limited||221||Pending||Regulated|
|EY MENA Services Ltd||3022||Pending||Non-regulated|
|Hyatt International – South West Asia Limited||501||Pending||Non-regulated|
|Novelis MEA Ltd||1278||Pending||Non-regulated|
|RGA Reinsurance Company Middle East Limited||221||Binding Corporate Rules (rgare.com)||Regulated|
Note On THE US-EU Trans-Atlantic Data Privacy Framework
On July 16, 2020, the Court of Justice of the European Union in its ruling in the Schrems II case invalidated Privacy Shield as a legitimate transfer mechanism between the US and the EU / EEA. DIFC had not permitted Privacy Shield as a mechanism for international transfers as it applied to transfers and onward transfers from the EU to the US only. In any case, it had a significant impact on data transfers globally, as for a long period of time, technically, transfers to the US from Europe were "illegal", and potentially onward transfers from DIFC or other non-EU jurisdictions would have been "illegal" as well.
On March 25, 2022, the US Government and the European Commission announced an agreement in principle to a new framework for transfers from the EU to the US, called the Trans-Atlantic Data Privacy Framework (the "Framework"). Please review the White House joint statement with the European Commission setting out the primary elements and requirements of the framework.
DIFC DP Commissioner's Office anticipates that, as above, the Framework will not apply to transfers directly from the DIFC as it is an agreement between the EU and the US. However, if your entity is part of a multi-national or group business that engages in transfers / onward transfers from the EU, it may come into play. In such cases, please consider reviewing the transfers made by your entity once Personal Data leaves the DIFC for processing in the EU, to ensure the transfers remain compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive guidance on DP Law 2020 as well as the Data Export assessment tool. Please note that any such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.