Frequently Asked Questions

Please note that the information presented in the FAQs below is not meant to express an opinion on lawfulness of specific business activities, nor does it have the force of law, and is not intended to constitute legal advice. Please contact legal counsel for assistance in determining your data protection and privacy policies regarding these FAQs to ensure compliance with the applicable laws and regulations. The Commissioner does not make any warranty or assume any legal liability for the accuracy or completeness of this information as it may apply to the particular circumstances of an individual or a firm.

You may connect to the DP sub-menus containing content on the FAQs below as follows:

DP Website Navigation

The Basics

  • What is the purpose of the DIFC data protection legislation?
  • Who is responsible for administering and providing guidance regarding the DIFC Data Protection Law
  • To which entities does the DIFC DP Law 2020 apply?
  • What is Personal Data?
  • What is Special Category Data?
  • Who is a Controller?
  • Who is a Processor?
  • Who is a Data Subject?
  • What is a Third Party?
  • Who is a recipient of Personal Data?
  • What is Processing?
  • Is there a fee for notification?


  • What is accountability?
  • How does a Controller comply with the core provisions of the Data Protection Law?
  • Must a data protection officer (DPO) be appointed by all DIFC licensed entities or DIFC Bodies?
  • When should I submit the Annual Assessment for compliance with Article 19 of the DP Law 2020, and in what format?
  • When is a permit required?

Individuals' Rights & Redress

  • What must a Controller or Processor do when it wants to deal with an individual's Personal Data?
  • What determines whether data relates to an individual?
  • What are my rights as a Data Subject regarding Processing of my Personal Data and lodging complaints?
  • What about expressions of opinion?

Data Export & Sharing

  • Where can I find information about international data transfers and what I have to do to comply with Articles 26 and 27 of DP Law 2020?
  • Where can I find information about public authority data sharing requests and what I have to do to comply with Article 28 of DP Law 2020?
  • Per Article 27, if our Group of companies has Binding Corporate Rules (BCRs) approved by the EU or another government body, how should I submit them for review to the DP Commissioner?
  • Per Article 27(2)(c), will using the EU Model Clauses or UK IDTA, or even another country's similar clauses, for data transfers cover my data transfers outside the DIFC to a non-adequate jurisdiction?
  • What is the DIFC Ethical Data Management Risk Index (EDMRI) and the EDMRI+?
  • Where can I find more information and FAQs about the DIFC Ethical Data Management Risk Index (EDMRI)?

Personal Data Breaches

  • Must Personal Data breaches be reported to the Commissioner, the Data Subject or both?
  • Is there a time limit for notification of a breach, like in other data protection laws?
  • How do I notify a Personal Data breach?

Supervision & Enforcement

  • How does the Commissioner's Office decide which companies to inspect?
  • How many inspections does the Commissioner's Office conduct each year?
  • Is information about fines and other enforcement action provided on the DIFC website?