Accountability & Rights

Accountability & Data Subjects’ Rights

Taking responsibility for ethical management of Personal Data, and being transparent about how your organisation protects people’s rights results in better overall compliance and creates a competitive edge based on developing and keeping people’s trust.

Furthermore, if something does go wrong while your organisation is the custodian of a person’s identifiable information, accountability means showing that you actively considered the risks and put in place measures and safeguards to mitigate these risks. By doing so, you are also protecting your organisation against potential enforcement action.

Lastly, this commitment is a good example to other organisations you deal with about how they should ethically and responsibly manage Personal Data in order to work with your business. On the other hand, if you can’t show good data protection practices, it may leave you open to breaking the trust you have built, as well as possibly incurring fines and reputational damage.


Accountability Tools


Applicability Assessment Tool

Does the DIFC DP Law 2020 apply to my entity?

High Risk Processing Assessment Tool

Do I conduct HRP?

DPO Assessment Tool

Do I need to appoint a DPO?

DP Assessment Tool

Privacy Notices (Articles 29 & 30)


To access the Data Protection Maturity Assessment tool click on the button below. This tool provides an overall view of your entity’s current DP compliance, where you would like it to be and recommendations about how to achieve it.

Please note clicking this link will take you to a third party website, where you will be required to create a user account. Registration is free. The third party provider is subject to the DIFC DP Law 2020 and other DP laws. Please review their privacy policy to understand how they process personal data and assurance of individual rights.

Conduct Maturity Assessment

Individuals’ Rights & Redress

The rights of individuals, commonly known in Data Protection law as Data Subjects, are the most important consideration in any organisation's accountability framework. Enforcement action is much more severe where such rights have been unlawfully limited or restricted, and / or where redress is not sufficiently provided.

For support understanding the requirements on rights and remedies set out in DP Law 2020, please click the button below to view a table that highlights:

  • which individuals’ rights are supported;
  • the obligations of Controllers and Processors in managing them; and
  • remedies available to individuals, including compensation and damages, for non-compliance with these requirements.

Rights & Redress Information


Resolving Issues Impacting Privacy Rights in the DIFC

If you believe your rights under the DIFC DP Law 2020 have been breached or there may be a high risk to your ability to exercise them, please contact the business or organisation directly to try and work it out. Most businesses and organisations will want to help you resolve your issue quickly, before it comes to the Commissioner's office. Your rights and remedies, including the option to make a complaint or request mediation, are set out in the Individual Rights and Remedies table above.


Tips for Raising Issues Directly with the Company or Organisation

Here are some tips for making a complaint to a business or other organization directly, in order for you resolve a privacy concern:
  • Evaluate the nature and timeliness of your issue before you proceed.  If there is low risk of harm / no harm caused or some time has passed between the event (i.e., non-response to an access claim, or other similar causes of risk to your rights) and your complaint to the company or to our office, it may reflect on the decisions by the company or the Commissioner’s Office to respond to or take up your complaint or agree to mediate (in the case of the Commissioner’s Office)
  • Review the Commissioner’s guidance on Individuals’ Rights to Access & Control Personal Data. This sets out your rights and how you may exercise them, how they differ from other options for redress (i.e., subject access request vs discovery in a court proceeding), how companies may respond (including exemptions and special issues they may consider, such as when requests are manifestly unfounded or excessive, in particular because of their repetitive character), and how long companies have to respond (normally 30 days).
  • If you decide to go ahead with your request or complaint, please check the DIFC Public Register for the correct company name and commercial license number in case you need it for any communications with them or with the DIFC Commissioner’s Office
  • Contact the company or organisation through official details provided on the company website (if one exists) or provided by other means.  Under Article 40 of the DP Law 2020, they must provide at least 2 means of contact for such matters. Please note, the DIFC Commissioner’s Office will not necessarily have these details and may not necessarily be required to provide them. However, if the details are incorrect or they are not available at all for this purpose, please let us know.
  • Organisations are encouraged to use the DIFC Individuals' Rights Response Assessment tool for guidance about their response to any requests you make.

If you have made a request to access or correct your information, the business or organisation has one month to respond, unless additional time is required to respond to particularly complex or numerous requests. Please see the Article 33 of the DP Law 2020, as well as Schedule 1, Article 1 (and any applicable amendments) to determine the meaning of these timing requirements.

You can get in touch with our office for help if you have a query, or if you are not happy with the organisation's response or wish to raise a complaint about how it processes your Personal Data.


Tips and Tools for Companies or Organisations Responding to Individual Requests

Responding to a request from an individual seeking to understand what data is being processed about them is something any business may have to do at some time. These requests are known as subject access requests or SARs, or may also be a request to exercise rights such as that of erasure, portability, etc. – found primarily in Articles 32 to 40 of the DP Law 2020. Knowing whether you have received such a request is half the effort, and then properly responding is of vital importance.

Please use this tool to assess whether your business has received such a request and how to respond.

Rights Response Assessment


Data Protection Templates

These templates will assist in ensuring accountability for processing activities. These templates are provided only for guidance and format purposes. Provision / content of these templates is not to be construed as legal advice.

Legal consultants or other duly designated persons acting for the entity may revise, add or remove anything in these templates as appropriate, and the entity remains responsible for its own compliance with DP Law 2020 when using them as a basis for their own purposes.

  • Sample Government Data Sharing MOU (Article 28 - written assurances)
  • Sample Government Data Sharing Policy (Article 28)
  • Sample Online DP Notice aka Privacy Policy (Articles 29 / 30)
  • Sample Internal Privacy Policy (Article 14)
  • Sample Compliance Checklist and DPIA (Part 2D and Article 20)
  • Sample Record of Processing Activities (ROPA) (Article 15)
  • Sample DPO Job Description (Articles 16 to 18)
  • Sample DPO Annual Assessment (Article 19)