DIFC
  • Stay up-to-date with DIFC’s response to Covid-19
  • Read more

Notification to the Commissioner of Data Protection

In accordance with the DP Law 2020 and Regulations, DIFC entities must notify the Commissioner of Data Protection ("Commissioner") when processing Personal Data ("PD"). Failure by entities to notify the Commissioner may result in enforcement action including investigations or fines in respect of the contravention as prescribed in Schedule 2 of the DP Law 2020. The data protection notification to the Commmissioner has to be submitted through the DIFC Client Portal and incurs fees based on entity type.  Please see the fee table below for assistance.  

Notification assessment tool – Do I need to notify the Commissioner that I process PD?

Please use this tool to help you understand whether or not your entity should notify its processing operations to the DIFC Commissioner of Data Protection.
view tool

DIFC-registered entities are required to submit a data protection notification as per the process below:

New entities

The data protection notification is part of the registration/incorporation service request. Note that the DIFC Client Portal will not allow the user to submit the registration/incorporation service request without finalising the data protection notification section of the onboarding form. 

Notification is completed in 2 steps: initial notification followed by a service request that must be completed with 6 months of licensing.  If you notify that the entity does not process PD, a service request will be created to justify this assessment before you may proceed.  Please see guidance regarding notifications for assistance.  

Data Protection Notification RENEWAL

The data protection notification renewal is part of the license renewal service request. Prior to submitting the license renewal service request, the user must first confirm if there are any changes to the registrable data protection particulars notified in the manner described previously. Only DIFC registered entities can notify the Commissioner through the DIFC portal, however a webform tool [hyperlink] is available below that will allow a non-DIFC entity to voluntarily notify the Commissioner that it is processing DIFC Personal Data.

Duty to notify changes

If at any time during the year there are any changes to the registrable particulars, entities must submit update the notification to the Commissioner through the DIFC Client Portal using the service request "Data Protection Notification".

Please note that in accordance with the DIFC Data Protection Regulations 2020, all changes to processing (i.e., beginning processing operations, different processing operations involving other types of data or locations, etc.) must be notified to the Commissioner via an update outlined above within 14 days of commencing such processing.  

Voluntary Notification

Even if your entity is not registered with a DIFC Commercial License or other DIFC-registered permission, you may voluntarily notify the Commissioner of your DP operations involving the processing of DIFC-related personal data. Please use below form to notify us accordingly.  Voluntary notification is not mandatory and is free of charge for non-DIFC entities wishing to do so.

 

Voluntary Notification by Non-DIFC Entities

 
Contact name *
Phone *
My entity has a DIFC Commercial License or Commercial Permission: *
Registration number *

If your entity processes Personal Data and it holds a DIFC commercial license or permission from DIFC, please go to the DIFC Client Portal to notify the DIFC DP Commissioner.  To determine whether your entity processes Personal Data such that it must notify the Commissioner under Article 14 of DIFC DP Law 2020 please use this Notification assessment tool.


Does your entity process DIFC Personal Data in accordance with Article 6(3)(b) (excerpt below) of the DIFC DP Law 2020?

“This Law applies to a Controller or Processor, regardless of its place of incorporation, that Processes Personal Data in the DIFC as part of stable arrangements, other than on an occasional basis. This Law applies to such Controller or Processor in the context of its Processing activity in the DIFC (and not in a Third Country), including transfers of Personal Data out of the DIFC”

Please use this Applicability assessment tool to help determine whether the DIFC DP Law 2020 is applicable to the type of processing your entity undertakes. *
Are you sure? Processing can mean that your entity undertakes storage, analytics, direct marketing, on behalf of DIFC Entity, or other collection o f data from the DIFC, i.e., scraping of DIFC register, etc. Please also consider the jurisdictions to which Personal Data is transferred once it leaves the DIFC environment and whether any safeguards are in place in accordance with Articles 26 or 27. For further information please see the DP Law 2020 *
Do you wish to voluntarily notify the Commissioner of your processing operations as they pertain to Article 6(3)(b)? This is not mandatory, but you may do so if you wish. *

 

 

Schedule of DP Notification Fees

All applicable fees must be paid in respect of matters set out in App1 of the Data Protection Regulations. Fees should be paid at the time that the relevant forms are submitted. No request for action will be considered duly made until the relevant fee is received.

Payment method:

  • Cash
  • Cheque
  • Credit Card

Cash, cheque, copy of remittance advice or credit card authorisation form is to be submitted to the office of the Commissioner of Data Protection at the DIFC offices in person, by courier or by mail, at the following address: Level 14, The Gate, DIFC, P. O. Box 74777, Dubai, UAE.

Please note, if submitting payment by cheque, cash or credit card in UAE Dirhams, the applicable exchange rate is US$1=AED3.675. Cheques should be made payable to: DIFCA - Office of the Data Protection Commissioner.

Fees TABLE
Category Type of Entity
I Regulated Entities
Authorised Firms
Authorised Ancillary Service Providers
Authorised Market Institutions
Credit Bureaus
II Non-Regulated Entities
III Retail
 
Upon Receipt By The Commissioner Of Data Protection of: Category I Category II Category III
Registration(Notification) $1,250 $750 $250
Annual renewal of the registration $500 $250 $100
Amendments to the registrable particulars of the notification $100 $50 $10
Notification to inform the Commissioner of Data Protection of not Processing Personal Data Nil Nil Nil
Amendments to contact details Nil Nil Nil
  • Category I includes entities regulated by the DFSA
  • Category II includes DFSA non-regulated entities, except retail; and
  • Category III includes retail entities.

For better web experience, please use the website in portrait mode