DIFC
  • Stay up-to-date with DIFC’s response to Covid-19
  • Read more
 

Supervision

Each year the Commissioner's Office undertakes supervisory actions, including inspections. Now through an automated process via the DIFC Client Portal, the inspection methodology, risk assessment and reporting process reaches at least 100 entities per year.

 

Inspection statistics will be posted on a regular basis, to help you see what kind of information is required to report but also how to assess the risks regarding any non-compliance issues.

 

Statistics regarding investigations (on-going and completed) are also important to knowing how complaints intake, mediation, review and determination works, the timelines involved, and what the Commissioner's Office's fact finding process looks like.  Please see information about the complaints and mediation process in FAQs and Guidance.   

 

Finally, Presidential Directives are a form of supervision that DIFC Controllers and Processors must take note of. Apart from guidance, Presidential Directives set out specific requirements about regulatory requirements of DIFC laws.  Please refer to this section of the Supervision & Enforcement for the latest applicable Directives.  

INSPECTIONS
Total Inspections in 2022 (end Q3): 55

- Completed: 40

Compliant:  38

Minor Non-compliance:  2

Major Non-compliance / Fines:  1

- Ready for Review / Reporting: 7

- Inital Inspection Notice Issued: 8

INVESTIGATIONS
Total Investigations in 2022 (end Q3): 3

- Completed: 2

No contravention: 0

Contravention / Directions: 1 

No further action taken by any party: 1

- In Progress: 1

 
Total Complaints in 2022 (end Q3): 3

- Regarding DIFC-based entities: 2

- Regarding non-DIFC entities: 1

DIRECTIVES
Directives related to Data Protection in 2022: 1

Directive No. 4 of 2022, the Public Authority Personal Data Sharing Directive

The Public Authority Personal Data Sharing Directive, No 4 of 2022, primarily deals with the applicability of the Data Protection Law, DIFC Law No 5 of 2020 (the DP Law 2020), to data sharing protected by safeguards enumerated in Article 28.  Government authorities and law enforcement may request personal data from a DIFC entity, of course.  Article 28 imposes safeguards for ensuring that the Requesting Authority, either by written and binding assurances or by the sharing entity's own risk assessment, or both, is processed in accordance with the DP Law 2020.  For more infomration about the applicability and importance of compliance with Article 28, please review the guidance and FAQs available on the Data Export & Sharing page of the DP website.  

 

 

 

Enforcement

Enforcement, including remedial actions, directions, decision notices and fines, are a necessary part of data protection law regulation.

 

Decision notices are issued by the Commissioner usually when a complaint has been made and investigated, and a conclusion drawn about contravention or no contravention of the DIFC DP Law, in accordance with the Commissioner's powers and functions set out in Part 8 of the DIFC DP Law 2020 and Part 9 addressing Remedies, Liability and Sanctions. Decision notices will be provided below.

Decision Notices

Decision Notice 1 of 2022

FINES

Total number of Fines issued in 2022 (end Q3):  31

- Failure to notify: 1

- Failure to renew notification: 28

- Other fines: 2

 

Total number of Fines issued in 2021:  146

- Failure to notify: 95

- Failure to renew notification: 51

- Other fines: 0

 

Analysis:

Apart from the "notifcation renewal" fines, the fines statistics above may have resulted from investigations of complaints or findings of non-compliance through inspection or thematic assessment.  

 

Regarding new notifications or incorrect, existing notifications, for example, the difference between years 2021 and 2022, is likely the result of two thematic assessments that were issued in mid-2021.  The assessments were for the same purpose, i.e., to clarify why the DIFC entity notified that it does not process Personal Data (PD).  The thematic review questions were sent to 1) retail entities and 2) fintech entities that notified that they do not process PD. 

 

The responses led to supervisory action including outreach and in person discussions about DP compliance obligations, as well as fines for non-compliance in certain cases where the entity was directed to notify that it does process PD, but did not do so.  The Commissioner's Office undertook extensive remedial action to refine its processes, and to ensure that DIFC entities are clearer about notification requirements under Article 14(7).  As such, the notifications process was revised to automatically reduce the number of invalid submissions through asking only 2 simple questions up front and requiring validations where account information indicated that the submission may be incorrect.  Also, since the DP Law 2020 was enacted, increased general outreach sessions, publiscation of specific guidance and simple, clear assessment tools have also contributed to better understanding of the notification requirement.  

 

Consequently, the number of submissions by entities stating  (in many case, incorrectly) that they do not process PD in the first instance has dropped significantly, from 220 out of 735 newly formed entities in 2020, to 195 out of 996 newly formed entities in 2021, and then down to 90 out of 806 newly formed entities so far in 2022.  There have been only 36 notifications of not processing PD out of since the revised notification process went live in April 2022.  This shows that DIFC entities now have a better overall understanding of the notification requirement and are on the path to creating a positive data processing and compliance culture.  And further to that, the number of fines for invalid notifications has also dropped, as set out above. 

For better web experience, please use the website in portrait mode