Dubai International Financial Centre (DIFC)
  • Stay up-to-date with DIFC’s responses to COVID19
  • Read more

Data Protection Notification

Failure by entities to notify the Commissioner of Data Protection ("Commissioner") in accordance with the Data Protection Law and Data Protection Regulations may result in the Commissioner imposing a fine in respect of the contravention as prescribed in Schedule 2 of the Data Protection Law. The data protection notification has to be submitted through the DIFC Client Portal. DIFC-registered entities are required to submit a data protection notification as per the process below:

New entities

The data protection notification is part of the registration/incorporation service request. Note that the DIFC Client Portal will not allow the user to submit the registration/incorporation service request without finalising the data protection notification.

Data Protection Notification

The data protection notification renewal is part of the license renewal service request. Prior to submitting the license renewal service request, the user must first confirm if there are any changes to the registrable particulars notified in the manner described previously.

Duty to notify changes

If at any time during the year there are any changes to the registrable particulars, entities must submit a notification to the Commissioner through the DIFC Client Portal using the service request "Data Protection Notification".

Data Protection Forms

Approved template for Annual Assessment required under Article 19(1) of the DP Law 2020. Please contact the Commissioner’s Office for any queries.

VIew File

Standard Data Protection Clauses approved for use in accordance with Article 27(2)(c) regarding transfers of Personal Data outside of the DIFC in the absence of an adequate level of protection as follows:

1) For sharing data in such manner between a DIFC Controller and a non-DIFC Controller

VIew File

2) For sharing data in such manner between a DIFC Controller and a non-DIFC Processor

VIew File

Please note: these are not the standard contractual clauses referred to in Article 24(8) of DP Law 2020. The Commissioner’s Office has not yet published such clauses, but may do so in the future. Generally, at this time please ensure the content of any such written agreement contains clauses sufficient to discharge the obligations in Articles 24(5)(b)(i) to 24(5)(b)(x).

Data Protection Schedule Of Fees

All applicable fees must be paid in respect of matters set out in App1 of the Data Protection Regulations. Fees should be paid at the time that the relevant forms are submitted. No request for action will be considered duly made until the relevant fee is received.

Payment method:

  • Cash
  • Cheque
  • Credit Card

Cash, cheque, copy of remittance advice or credit card authorisation form is to be submitted to the office of the Commissioner of Data Protection at the DIFC offices in person, by courier or by mail, at the following address: Level 14, The Gate, DIFC, P. O. Box 74777, Dubai, UAE.
Please note, if submitting payment by cheque, cash or credit card in UAE Dirhams, the applicable exchange rate is US$1=AED3.675. Cheques should be made payable to: DIFCA - Office of the Data Protection Commissioner.

CategoryType of Entity
IRegulated Entities
Authorised Firms
Authorised Ancillary Service Providers
Authorised Market Institutions
Credit Bureaus
IINon-Regulated Entities

Upon Receipt By The Commissioner Of Data Protection of:Category ICategory IICategory III
Annual renewal of the registration$500$250$100
Amendments to the registrable particulars of the notification$100$50$10
Notification to inform the Commissioner of Data Protection of not Processing Personal DataNilNilNil
Amendments to contact detailsNilNilNil
  • Category I includes entities regulated by the DFSA
  • Category II includes DFSA non-regulated entities, except retail; and
  • Category III includes retail entities.

For better web experience, please use the website in portrait mode