Data Export & Sharing
Exporting Personal Data Outside DIFC
In accordance with Article 26 of the DP Law 2020, a transfer of Personal Data to a recipient located in a jurisdiction outside the DIFC may take place only if that jurisdiction is deemed to have an adequate level of protection for that Personal Data. The Commissioner of Data Protection applies adequacy standards based largely on prevailing international best practices and extensive practical application and methodology development.
There are exceptions, however, which are set out in Article 27 of the DP Law 2020, including transfers supported by additional contractual clauses, certain internal data protection policies and processes, or specific derogations in limited circumstances.
Article 28 covers data sharing with government authorities, including law enforcement agencies. Obligations regarding 1) written assurances for handling personal data in line with the DIFC DP Law 2020 or 2) a self-assessment of risk, necessity and proportionality around such sharing are set out in Article 28(1) and Article 28(2), respectively.
Further information on these important articles in DP Law 2020 are available below. For starters, please conduct the Export Assessment to find out where your company stands on compliance with international data transfers requirements.
Model Clauses for Data Export to Importers in Non-Adequate Jurisdictions
The DIFC Standard Contractual Clauses (DIFC SCCs) at the "VIEW FILE" link below are based on a combination of those used in Europe and the UK, for ease of use across as many jurisdictions as possible. They provide additional safeguards in accordance with DP Law 2020, Article 27(2)(c) and as prescribed in Regulation 5 of the DIFC DP Regulations 2020.
Please note: these are not the standard clauses referred to in Article 24(8) of the DP Law 2020. The Commissioner’s Office has recently published suggested Article 24 clauses and guidance. Whether you incorporate the Article 24 clauses or not, please ensure the content of written agreements contain, as needed, data protection clauses sufficient to discharge the obligations set out in Articles 24(5)(b)(i) and 24(5)(b)(x). Further information on these requirements is available here.
DOWNLOAD: Abbreviated DIFC SCCs
DIFC SCCs / EU Modules / UK IDTA Comparison
The DIFC SCCs were compared and synthesized from the most commonly used data sharing safeguard clauses, the EU Model Clauses and the UK IDTA.
A comparison table of these clauses and what resulted ultimately in the DIFC SCCs is available for review. Please share any feedback or questions with commissioner@dp.difc.ae
Article 28: Data Sharing with Public Authorities or Law Enforcement
While government authorities in Third Countries have powers prescribed to them by various applicable local laws, Article 28 sets out safeguards and obligations for sharing Personal Data with them. Where a controller or processor receives a request from any public authority, whether in the UAE or outside the UAE, for the disclosure and transfer of Personal Data, it must undertake steps to ensure that the shared personal data is treated with the same care and provision for the exercise of rights, including access to judicial redress, if it appears that the importing public authority has unlawfully processed it.
General guidance on A28 exists in the Data Export and Sharing Handbook, but specific guidance and FAQs are available at this link.
This sample Article 28 MOU template sufficiently addresses one method of obtaining written assurances as stated in Article 28(1) and s available for download. Please consider using it to respond to government data sharing requests in your business or organisation.
You may also use the A28 Assessment Tool to help you figure out what to do when sharing data with a public authority or law enforcement.
Ethical Data Management Rish Index and EDMRI+
In order to properly apply safeguards for international transfers and to generally comply with the DP Law 2020, or most data protection laws globally, a Controller or Processor should undertake risk assessments, which may be based on the DP law in a jurisdiction, but ideally also on the compliance "environment" to which you are sending Personal Data, so that it is treated with as much care and safety as at “home”.
To this end, the Ethical Data Management Risk Index (EDMRI) and methodology was created by the DIFC Commissioner’s Office to assess the compliance risk of an importing business or entity in a jurisdiction complying or not with contractual, legal, technical, and organisational obligations when receiving Personal Data from a DIFC entity.
The EDMRI+ Due Diligence Risk Assessment, (EDMRI+), the companion due diligence tool, allows you to document your own risk and equivalence assessment of the compliance preparedness of the importing entity you are about to share data with. The resulting EDMRI+ guidance gives you an idea of the gaps in your international transfer plan per importer. This is important because even with adequacy or other transfer control mechanisms in place for your data sharing activities, you should seek to understand whether the businesses your company engages with are fostering privacy as well. Please refer to the EDMRI Guidance for clarification.
The detailed methodology for the EDMRI is set out in Appendix 2 of the Data Export and Sharing Handbook. The EDMRI was developed in December 2020, and is the intellectual property of the Dubai International Financial Centre Authority. EDMRI+ was developed in 2022 as a result of a consultation process and feedback from local DIFC entities as well as international privacy and security experts.
EDMRI Updates
The EDMRI is updated as needed with the aim to update quarterly, as privacy laws are being enacted and policy updates, implementations of new regimes, etc., happen regularly.
Recent updates:
-- Enactment of the first data protection law in Indonesia, the Personal Data Protection Act, and review of index rating.
-- Slovenia enacted bill to implement GDPR via Article 38 of Constitution
-- California: CPRA amendments to CCPA (aka CCPA regulations) went into effect March 29, 2023 and enforceable from July 1, 2023
DIFC Adequacy Decision Process & List of Adequate Data Protection Regimes
The Commissioner’s assessment criteria for determining adequacy recognition of a Third Country or International Organisation is provided in the following documents:
DIFC Adequacy Assessment Questionnaire for Third Country Applicants
Download
DIFC Third Country or Jurisdiction Adequacy Assessment
Download
- EU Countries and EEA
| Austria | Belgium | Bulgaria | Croatia |
| Cyprus | Czech Republic | Denmark | Estonia |
| Finland | France | Greece | Germany |
| Hungary | Ireland | Italy | Latvia |
| Lithuania | Luxembourg | Malta | Netherlands |
| Poland | Portugal | Romania | Slovakia |
| Slovenia | Spain | Sweeden | Iceland |
| Liechtenstien | Norway |
- Other Countries, Jurisdictions and Organisations
|
Andorra |
Argentina |
ADGM |
|
| Canada | Colombia | Faroe Islands | Guernsey |
| Isle of Man | Israel | Japan | Jersey |
| New Zealand | Switzerland | Uruguay | |
| Singapore | CBPR |
UK Data Bridge
On December 15, 2022, the DIFC CEO together with the DIFC Commissioner of Data Protection and the UK Minister of State for Media, Data and Digital Infrastructure issued a joint statement regarding positive progress on the building of a “data bridge” for sharing personal data and information with trust between the UK and the DIFC, and spanning eventually across the UAE.
UK - DIFC Data Bridge Joint Statement
Note regarding US-EU Privacy Framework
On March 25, 2022, the US Government and the European Commission announced an agreement in principle to a new framework for transfers from the EU to the US, called the Trans-Atlantic Data Privacy Framework (the "Framework"). On October 7, 2022, President Biden issued an Executive Order regarding implementation of the Framework. Please review the White House joint statement with the European Commission setting out the primary elements and requirements of the framework, and the fact sheet issued by the White House setting out the key elements of the Framework, including updates to the way the US Intelligence Community gathers and processes personal data, and an independent and binding review and redress mechanism.
As of December 14, 2022, the EU issued a draft adequacy decision about the agreed Privacy Framework. Further updates will be provided as approvals progress is made.
On February 28, 2023, the EDPB issued its Opinion on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework. Opinion 5/2023 is available here.
DIFC DP Commissioner's Office anticipates that the Framework will not directly apply to transfers from the DIFC as it is an agreement between the EU and the US. However, if your business entity is part of a multi-national or group of companies that engage in transfers / onward transfers from the EU, it will come into play. In such cases, please consider reviewing the transfers made by your entity once Personal Data leaves the DIFC for processing in the EU, to ensure the transfers remain compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive guidance on DP Law 2020 as well as the Data Export assessment tool. Please note that any such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.
Sharing Personal Data in response to US Securities & Exchange Commission Information Requests
On June 27, 2021, the DIFC Data Protection Commissioner’s Office issued a letter analyzing the impact of DIFC data protection law on transfers to the United States Securities and Exchange Commission (SEC) of Personal Data from DIFC-based firms or branches that are registered, required to be registered, or otherwise regulated by the SEC (“DIFC-based SEC firms”), such as DFSA regulated entities. While this is not an adequacy decision, it permits such transfers and may be accessed by such DIFC-based SEC firms as needed in order to lawfully share Personal Data in this context.
DIFC / SEC Data Sharing Letter
Download
Approved Binding Corporate Rules
| Company Name | Registered Number | Binding Corporate Rules (website) | DFSA Status |
| Cisco Capital (Dubai) Limited | 779 | Binding Corporate Rules (cisco.com) | Regulated |
| Citigroup Global Markets Limited | 221 | Pending | Regulated |
| EY MENA Services Ltd | 3022 | Pending | Non-regulated |
| Hyatt International – South West Asia Limited | 501 | Pending | Non-regulated |
| Novelis MEA Ltd | 1278 | Pending | Non-regulated |
| RGA Reinsurance Company Middle East Limited | 221 | Binding Corporate Rules (rgare.com) | Regulated |
| XL Re Europe SE (DIFC Branch) | 1562 | Binding Corporate Rules (axa.com) | Regulated |
Non - Legislative Consultation Materials - Nov 2022
- Enabling Technology and Data Sharing through Multi-lateral "Adequacy"
Non-Legislative Consultation Paper:
Enabling Technology and Multilateral Adequacy Platform for Data Sharing