The Commissioner of Data Protection is responsible for administering the Data Protection Law.
DP Law 2020 applies in the jurisdiction of the DIFC, to the Processing of Personal Data: (a) by automated means; and (b) other than by automated means where the Personal Data forms part of a Filing System or is intended to form part of a Filing System.
It applies to the Processing of Personal Data by a Controller or Processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not. It also applies to a Controller or Processor, regardless of its place of incorporation, that Processes Personal Data in the DIFC as part of stable arrangements, other than on an occasional basis. The important thing to understand for this application is the context of the Processing activity of the non-DIFC entity within the DIFC (i.e., and not in a Third Country), including transfers of Personal Data out of the DIFC.
Processing "in the DIFC" occurs when the means or personnel used to conduct the Processing activity are physically located in the DIFC, and Processing "outside the DIFC" is to be interpreted accordingly.
So even though an entity may be outside or not even registered or licensed in the DIFC, the DP Law 2020 will apply to Processing operations performed as a result of an engagement with a DIFC entity that is ongoing, contractual, or any other means of demonstrating that it is more than a simply one-off instance of processing. The non-DIFC entity ordinarily would not be required to notify the Commissioner or perform other administrative tasks like appointing a DPO, although it may do so if it wishes anyway, as best practice. The non-DIFC entity may also be subject to liabilities such as fines or third party claims.
DP Law 2020 does not apply to the Processing of Personal Data by natural persons in the course of a purely personal or household activity that has no connection to a commercial purpose.
Please see Article 6 of the DP Law 2020 for further information.
Personal Data is any information relating to an identified natural person or Identifiable Natural Person. For example, Personal Data may include an individual’s name, age, home address, income, marital status, education, or employment information, or any combination of these things. If one element of information does not identify someone on its own, such as the name “John Smith”, other elements should ordinarily contribute to identifying a person. In accordance with DIFC law, a legal entity or organization does not have personal data.
Special Category Data is Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person. General information like names and addresses do not traditionally constitute Special Category Data. Any possible exceptions should be discussed with the Commissioner of Data Protection.
Whether information relates to a particular individual will be a question of fact in each case. If a connection can be made between the information and an individual, then the information is Personal Data. Personal Data can relate to more than one individual. For example, information concerning a joint bank account relates to both account holders and therefore is the Personal Data of each account holder and would be protected as such.
A Controller is any person in the DIFC who determines the purposes for which, and the manner in which, any Personal Data is to be Processed.
Any person who processes Personal Data on behalf of a Controller.
A Data Subject is the individual to whom the Personal Data relates. For example, where an organisation holds Personal Data about its employees, the employees are Data Subjects.
Any person other than the Data Subject, the Data Controller, the Data Processor and the persons who, under the direct control of the Data Controller or the Data Processor, is authorised to process the Personal Data
Processing is any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on Personal Data by:
Accountability is captured in Articles 14 to 22 of the DP Law 2020. It is, in a nutshell, a means of showing transparency and proper management and handling of a very important asset: your Personal Data.
It includes taking such measure as appointing a Data Protection Officer or “DPO”, who is someone that independently manages accountability and DP compliance within a company. It also includes carrying out impact assessments to understand the risks (security, sharing, access, etc) to your Personal Data.
The Controller must notify the Commissioner of Data Protection when it is:
Notification by a Controller is carried out by completing a notification available in Client Portal and sending it to the Commissioner of Data Protection at the DIFC.
A Controller must securely keep any Personal Data it collects and process it fairly and lawfully. At or before the time Personal Data is collected from a Data Subject, a Controller should take reasonable steps to ensure that the Data Subject is aware of:
provided.
If a Controller intends to Process the Personal Data collected from a Data Subject, it is suggested that when the Controller collects that Personal Data, the Data Controller obtain the Data Subject’s written consent to such Processing at the same time.
The Controller should consider the following for all Personal Data:
The Controller should consider the following matters:
Subject?
Before Personal Data is transferred outside the DIFC the Controller should consider the following matters:
Under the DP Law 2020, Processors (and where applicable, Sub-processors) have certain compliance obligations and notification requirements as well. Please review the DP Law 2020 particularly at Articles 14 to 22 and Article 24.
The data protection legislation gives certain rights to Data Subjects concerning their Personal Data and Sensitive Personal Data. Generally, a Data Subject has the right to access any Personal Data that is kept about them.
If the Personal Data Processed by the Data Controller is inaccurate, then the Data Subject can request the Data Controller to take action to rectify, block or destroy the inaccurate data. However, there are certain circumstances, or exemptions, where it is legal for a Data Controller not to have to notify a Data Subject that Personal Data is being Processed. For example, where Personal Data is being released to a legitimate authority to comply with anti money laundering obligations.
A Data Subject can object on reasonable grounds to the Processing of their Personal Data, and request their Personal Data not be disclosed to third parties. This may include circumstances where an individual requests a Data Controller to cease Processing Personal Data for the purposes of direct marketing. If the Data Controller objects to the request, the Data Subject may file a complaint with the Commissioner of Data Protection at DIFC who may refer the matter to mediation.
Personal Data includes Data relating to an individual. Therefore this may include an employer’s appraisal or opinion of an employee.
A Recipient is any person to whom Personal Data is disclosed. An example of a Recipient is a member of the human resources department in an organisation who receives Personal Data or Sensitive Personal Data about employees of that organisation.
The data protection legislation is intended to protect the processing of Personal Data by a Controller or Processor or any Third Party related thereto. It also reinforces ethical data management through accountability requirements. It creates a legal and procedural framework which ensures that an individual’s Personal Data in the DIFC is treated fairly, lawfully and securely when it is stored, used or released.
The data protection legislation strikes a balance between a Data Subject’s right to control access to, and the use of, their Personal Data with a Controller’s need to collect and use Personal Data for legitimate or other specific legal purposes.
Yes, click here to view schedule of fees.
Upon Receipt By The Commissioner Of Data Protection of: | Category I | Category II | Category III |
Registration(Notification) | $1,250 | $750 | $250 |
Annual renewal of the registration | $500 | $250 | $100 |
Amendments to the registrable particulars of the notification | $100 | $50 | $10 |
Notification to inform the Commissioner of Data Protection of not Processing Personal Data | Nil | Nil | Nil |
Amendments to contact details | Nil | Nil | Nil |
Permits for processing Special Category Data and for Transfers out of the DIFC are no longer required or available. Please ensure your entity can justify such processing on another legitimate basis set out in the DP Law 2020.
A DPO is not always required. It is mandatory to appoint someone to this role in only 3 specific instances, the most applicable being where an entity engages in High Risk Processing or when the Commissioner directs an entity to do so. Please review Articles 16 to 18 of the DP Law 2020 for further details about the role, skills and task of the DPO.
Upon the enforcement of the DIFC Data Protection Law, DIFC registered entities with an appointed Data Protection Officer (DPO) will be required to submit an annual Assessment as per Article 19 of the DIFC Data Protection Law, DIFC Law No. 5 of 2020
The first submission of the Annual Assessment (if required in accordance with Article 19, i.e., where a DPO must be appointed) will be made on the first license renewal date after July 1, 2021.
Example:
If you are required to submit the Annual Assessment as per Article 19, we recommend that you to review the form and prepare for your first submission. To access and download the form, please click here.
Please note that this form will be made available in an electronic format by the entity’s first Annual Assessment due date and will be submitted on the DIFC Client Portal. Submissions by email will not accepted.
Please submit your group BCRs to commissioner@dp.difc.ae
The DIFC Standard DP Clauses have been adapted from the EU Standard Contractual Clauses (the SCCs, aka Model Clauses). The content has only been adapted regarding article references to the DIFC DP Law 2020. However, the transfer from DIFC to a non-DIFC jurisdiction must be covered if you only use the EU SCCs. So if there is a way that can be addressed in any additional text added to the EU MCs in the appendices for example (i.e., also covers transfers from DIFC to non-DIFC jurisdictions) or there is some clarity on this point in some way, that may suffice. If you have any questions please contact commissioner@dp.difc.ae
Yes. The DIFC Commissioner of Data Protection announced its intention to continue to recognise the United Kingdom as an adequate jurisdiction in March 2019 (see communication here) and maintains this position going forward, in accordance with Article 27 of the updated DP Law 2020 and Section 5 of the Data Protection Regulations 2020.
For better web experience, please use the website in portrait mode