Accountability & Notifications
Data Protection Notification
In accordance with the DP Law 2020 and Regulations, DIFC entities must notify the Commissioner of Data Protection ("Commissioner") when processing Personal Data. Failure by entities to notify the Commissioner may result in enforcement action including investigations or fines in respect of the contravention as prescribed in Schedule 2 of the DP Law 2020. The data protection notification has to be submitted through the DIFC Client Portal. DIFC-registered entities are required to submit a data protection notification as per the process below:
- New entities
The data protection notification is part of the registration/incorporation service request. Note that the DIFC Client Portal will not allow the user to submit the registration/incorporation service request without finalising the data protection notification.
- Duty to notify changes
If at any time during the year there are any changes to the registrable particulars, entities must submit update the notification to the Commissioner through the DIFC Client Portal using the service request "Data Protection Notification".
- Data Protection Notification
The data protection notification renewal is part of the license renewal service request. Prior to submitting the license renewal service request, the user must first confirm if there are any changes to the registrable particulars notified in the manner described previously. Only DIFC registered entities can notify the Commissioner through the DIFC portal, however a webform tool [hyperlink] is available below that will allow a non-DIFC entity to optionally notify the Commissioner that it is processing DIFC Personal Data.
Data Protection Schedule of Fees
All applicable fees must be paid in respect of matters set out in App1 of the Data Protection Regulations. Fees should be paid at the time that the relevant forms are submitted. No request for action will be considered duly made until the relevant fee is received.
- Credit Card
Cash, cheque, copy of remittance advice or credit card authorisation form is to be submitted to the office of the Commissioner of Data Protection at the DIFC offices in person, by courier or by mail, at the following address: Level 14, The Gate, DIFC, P. O. Box 74777, Dubai, UAE.
Please note, if submitting payment by cheque, cash or credit card in UAE Dirhams, the applicable exchange rate is US$1=AED3.675. Cheques should be made payable to: DIFCA - Office of the Data Protection Commissioner.
|Type of Entity
Authorised Ancillary Service Providers
Authorised Market Institutions
|Upon Receipt By The Commissioner Of Data Protection of:
|Annual renewal of the registration
|Amendments to the registrable particulars of the notification
|Notification to inform the Commissioner of Data Protection of not Processing Personal Data
|Amendments to contact details
- Category I includes entities regulated by the DFSA
- Category II includes DFSA non-regulated entities, except retail; and
- Category III includes retail entities.
Data Protection Templates
These templates will assist in ensuring accountability for processing activities. These templates are only provided for guidance and format purposes. Provision of them is not to be construed as legal advice. Legal consultants or other duly designated persons acting for the entity may revise, add or remove anything in these templates as appropriate, and the entity remains responsible for its own compliance with DP Law 2020.