Guidance

Comprehensive Data Protection Guidance & Assessment Tools

Guidance and Handbooks

The guidance documents and tools on this page provide important insights on interpretation of DIFC DP Law 2020. Please note that some guidance documents or handbooks may be repeated under certain headings as they cover elements of several important data protection concepts.

Also, please note that the Commissioner's guidance and handbooks are not meant to express an opinion on lawfulness of specific business activities, nor do they have the force of law, and are not intended to constitute legal advice. Please contact legal counsel for assistance in determining your business's data protection and privacy requirements in respect of the topics addressed below, to ensure compliance with the applicable laws and regulations. The Commissioner does not make any warranty or assume any legal liability for the accuracy or completeness of the information herein as it may apply to the particular circumstances of an individual or a firm. For information about interpretting the guidance or the DP Law 2020 and Regulations, please contact commissioner@dp.difc.ae. If you have questions about the DIFC Portal, i.e., submitting forms regarding inspections or notifications, please contact the DIFC Services Help Desk.

General Requirements for DP Law 2020

Comprehensive Guide to Data Protection Law, DIFC Law No. 5 of 2020 and DP Regulations
Overview of DIFC Data Protection Regime
Webinar: Introduction to DIFC DP Law 2020
Webinar: FAQs

Lawful Processing

Processing Personal Data Through Autonomous & Semi-Autonomous Systems (Reg 10)
Consent
Regulation 10 FAQs - DIFC AI Regulations

Accountability & Notifications

Comprehensive Guide to Notification of Processing Operations
Step by Step Portal Guide to Notifying the DIFC DP Commissioner of Processing Operations
Step by Step Portal Guide to DP Inspections
Sample DIFC Record of Processing Activities
Webinar: Accountability, Supervision and Enforcement
Webinar: Applicability and Notifications

Data Protection Officers

High Risk Processing & DPO Appointments
Webinar: DPO Appointments

Risk Assessments (DPIAs, DPO Annual Assessment)

Data Processing Impact Assessments with "DPIA Required" List
Sample Compliance Checklist and DPIA
DPO Annual Assessment - Checklist & FAQs
Sample DPO Annual Assessment and Risk Matrix - 2023

Obligations of Controllers & Processors

Controller & Processor Agreements
Article 24 Contract Clauses & DIFC Abbreviated SCCs
Retention & Storage of Personal Data

Data Export & Sharing

DIFC Data Export & Sharing Handbook
Guidance on Article 28 of DIFC DP Law 2020
DIFC DP Law 2020 - Article 28 FAQs
** UPDATED: DIFC EDMRI Guidance - December 2023
DIFC EDMRI FAQs
Webinar: Data Export and Sharing
DIFC A 27 SCCs - DIFC Exporter transferring to Non-DIFC Importer
DIFC Abbreviated SCCs - 2023

Information Provision & Rights of Individuals

Individuals’ Rights to Access and Control Personal Data Processing
Individual Rights & Remedies Checklist
Complaints & Mediation Processes
Direct Marketing & Electronic Communications

Personal Data Breaches

Notifying the Commissioner of a Personal Data Breach
Webinar: Personal Data Breaches

Remedies, Liability and Sanctions

Commissioner's Powers, Fines & Sanctions
Individual Rights & Remedies Checklist
Complaints & Mediation Processes

Data Protection Tuesday Talks

DIFC DP Talks #1: Overview and DP Website
DIFC DP Talks #2: Amendments and Consultation
DIFC DP Talks #3: Notifications
DIFC DP Talks #4: Inspections
DIFC DP Talks #5: DPO Annual Assessment
DIFC DP Talks #6: Article 28
DIFC DP Talks #7: Supervision & Enforcement
DIFC DP Talks #8: Benefits of a DPMP
DIFC DP Talks #9: Localisation and CLOUD Act
DIFC DP Talks #10: AI Regulation
DIFC DP Talks #11: Q1 2023 Review & Catch Up
DIFC DP Talks #12: EU Enforcement & Impact on DIFC-based Controllers and Processors
DIFC DP Talks #13: China PIPL and SCCs
DIFC DP Talks #14: KSA PDPL and Regulations
DIFC DP Talks #15: Regulation 10 (AI)
DIFC DP Talks #16: Colombia Adequacy
DIFC DP Talks #17: Year in Review 2023
DIFC DP Talks #18: Regulation 9 (Marketing)

External Guidance, Policies & Other Presentations

Covid 19 Data Collection FAQs
DIFC Privacy Day 2022 - Jan 25 Webinar on UAE DP Law
DIFC Privacy Day 2022 - Jan 27 Webinar on DIFC Data Export and Sharing
Webinar: Continuous Improvement and Compliance 2022
OECD Privacy Site with Link to Guidelines
OECD Declaration on Government Access to Personal Data Held by Private Sector Entities
OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity

Data Protection Assessment Tools

Please note that these assessment tools are not meant to express an opinion on lawfulness of specific business activities, the outcomes provided do not have the force of law, and they are not intended to constitute legal advice. Please contact legal counsel for assistance in determining your business's data protection and privacy requirements in respect of the topics addressed below, to ensure compliance with the applicable laws and regulations. The Commissioner does not make any warranty or assume any legal liability for the accuracy or completeness of the information herein as it may apply to the particular circumstances of an individual or a firm.

DP Assessment Tool – Applicability (Article 6)

Conduct assessment

DP Assessment Tool – Notifications to the Commissioner of Processing Operations (Article 14(7))

Conduct assessment

DP Assessment Tool - High Risk Processing (Article 16)

Conduct assessment

DP Assessment Tool – Data Protection Officers (Articles 16 to 19)

Conduct assessment

DP Assessment Tool – Data Protection Impact Assessments (Article 20)

Conduct assessment

DP Assessment Tool - Controller and Processor Obligations (Articles 23 to 25)

Conduct assessment