DIFC
  • Stay up-to-date with DIFC’s responses to COVID19
  • Read more
  • Corporate Buzz for Finance Professionals on Trending Competencies
  • 28 Apr 2021, 11:00 am - 11:45 amGST
  • View Event

Frequently asked questions

Frequently asked questions

Q: Who is responsible for administering the Data Protection Law in the DIFC?

The Commissioner of Data Protection is responsible for administering the Data Protection Law.

Q: What determines whether data relates to an individual?

The Data Controller must notify the Commissioner of Data Protection when it is:

Processing Sensitive Personal Data; and/or transferring Personal Data outside the DIFC to a jurisdiction that does not have adequate levels of data protection.

Q: What are my rights as a Data Subject?

The data protection legislation gives certain rights to Data Subjects concerning their Personal Data and Sensitive Personal Data. Generally, a Data Subject has the right to access any Personal Data that is kept about them.

If the Personal Data Processed by the Data Controller is inaccurate, then the Data Subject can request the Data Controller to take action to rectify, block or destroy the inaccurate data. However, there are certain circumstances, or exemptions, where it is legal for a Data Controller not to have to notify a Data Subject that Personal Data is being Processed. For example, where Personal Data is being released to a legitimate authority to comply with anti money laundering obligations.

A Data Subject can object on reasonable grounds to the Processing of their Personal Data, and request their Personal Data not be disclosed to third parties. This may include circumstances where an individual requests a Data Controller to cease Processing Personal Data for the purposes of direct marketing. If the Data Controller objects to the request, the Data Subject may file a complaint with the Commissioner of Data Protection at DIFC who may refer the matter to mediation.

Q: Who is responsible for administering the Data Protection Law in the DIFC?

The Commissioner of Data Protection is responsible for administering the Data Protection Law.

Q: What determines whether data relates to an individual?

The Data Controller must notify the Commissioner of Data Protection when it is:

Processing Sensitive Personal Data; and/or transferring Personal Data outside the DIFC to a jurisdiction that does not have adequate levels of data protection.

Q: What are my rights as a Data Subject?

The data protection legislation gives certain rights to Data Subjects concerning their Personal Data and Sensitive Personal Data. Generally, a Data Subject has the right to access any Personal Data that is kept about them.

If the Personal Data Processed by the Data Controller is inaccurate, then the Data Subject can request the Data Controller to take action to rectify, block or destroy the inaccurate data. However, there are certain circumstances, or exemptions, where it is legal for a Data Controller not to have to notify a Data Subject that Personal Data is being Processed. For example, where Personal Data is being released to a legitimate authority to comply with anti money laundering obligations.

A Data Subject can object on reasonable grounds to the Processing of their Personal Data, and request their Personal Data not be disclosed to third parties. This may include circumstances where an individual requests a Data Controller to cease Processing Personal Data for the purposes of direct marketing. If the Data Controller objects to the request, the Data Subject may file a complaint with the Commissioner of Data Protection at DIFC who may refer the matter to mediation.

Q: What is Personal Data?

Personal Data is any information relating to an identified natural person or Identifiable Natural Person. For example, Personal Data may include an individual’s name, age, home address, race, sexual orientation, income, blood type, marital status, education, and employment information.

Q: Is there a fee for a permit?

Yes, click here to view schedule of fees.

Q: How does a Data Controller comply with the core provisions of the Data Protection Law?

DEALING WITH THE DATA SUBJECT

A Data Controller must securely keep any Personal Data it collects and process it fairly and lawfully. At or before the time Personal Data is collected from a Data Subject, a Data Controller should take reasonable steps to ensure that the Data Subject is aware of:

  • the identity of the Data Controller and how to contact it;
  • the fact that the Data Subject is able to gain access to their Personal Data;
  • the purposes for which their Personal Data is collected;
  • other persons to whom the Data Controller usually discloses data of that kind; and
  • the main consequence for the Data Subject if all or part of the data is not

    provided.

If a Data Controller intends to Process the Personal Data collected from a Data Subject, it is suggested that when the Data Controller collects that Personal Data, the Data Controller obtain the Data Subject’s written consent to such Processing at the same time.

INITIAL INTERNAL PROCEDURES

The Data Controller should consider the following for all Personal Data:

  • purpose for which it holds Personal Data;
  • number of individuals identified in the Personal Data it holds;
  • nature of the Personal Data;
  • length of time it holds Personal Data;
  • procedure for individuals identified by the Personal Data it holds to obtain access to their Personal Data; and
  • the possible consequences for individuals identified by the Personal Data it holds as a result of the way it holds, erases or Processes Personal Data.
ONGOING INTERNAL PROCEDURE

The Data Controller should consider the following matters:

  • is there a record of when the Personal Data it holds was recorded or last updated?
  • are all those involved with the collection and Processing of Personal Data, including people to whom they are disclosed as well as employees of the Data Controller, aware that the Personal Data may not necessarily be up to date and accurate?
  • are steps taken to update the Personal Data, for example, by checking back at intervals with the original source or with the Data Subject? If so, how effective are these steps?
  • if the Personal Data is out of date is it likely to cause damage or distress to the Data

    Subject?

TRANSFERS

Before Personal Data is transferred outside the DIFC the Data Controller should consider the following matters:

  • does it need a permit?
  • has the Commissioner of Data Protection at DIFC granted a permit to transfer the Personal Data?
  • has the Data Subject unambiguously consented to the proposed transfer?
  • is the transfer necessary for the performance of a contract between the Data Subject and the Data Controller?
  • is the transfer necessary or legally required on grounds important in the interests of the DIFC, or for the establishment, exercise or defence of legal claims?
  • is the transfer necessary in order to protect the vital interests of the Data Subject?
  • is the transfer intended to provide information to the public which is open to consultation?
  • is the transfer necessary to comply with any legal obligation?
  • is the transfer necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets?
  • is the transfer necessary to comply with auditing, accounting or anti-money laundering obligations that apply to a Data Controller?

Q: What is Personal Data?

Personal Data is any information relating to an identified natural person or Identifiable Natural Person. For example, Personal Data may include an individual’s name, age, home address, race, sexual orientation, income, blood type, marital status, education, and employment information.

Q: Is there a fee for a permit?

Yes, click here to view schedule of fees.

Q: How does a Data Controller comply with the core provisions of the Data Protection Law?

DEALING WITH THE DATA SUBJECT

A Data Controller must securely keep any Personal Data it collects and process it fairly and lawfully. At or before the time Personal Data is collected from a Data Subject, a Data Controller should take reasonable steps to ensure that the Data Subject is aware of:

  • the identity of the Data Controller and how to contact it;
  • the fact that the Data Subject is able to gain access to their Personal Data;
  • the purposes for which their Personal Data is collected;
  • other persons to whom the Data Controller usually discloses data of that kind; and
  • the main consequence for the Data Subject if all or part of the data is not

    provided.

If a Data Controller intends to Process the Personal Data collected from a Data Subject, it is suggested that when the Data Controller collects that Personal Data, the Data Controller obtain the Data Subject’s written consent to such Processing at the same time.

INITIAL INTERNAL PROCEDURES

The Data Controller should consider the following for all Personal Data:

  • purpose for which it holds Personal Data;
  • number of individuals identified in the Personal Data it holds;
  • nature of the Personal Data;
  • length of time it holds Personal Data;
  • procedure for individuals identified by the Personal Data it holds to obtain access to their Personal Data; and
  • the possible consequences for individuals identified by the Personal Data it holds as a result of the way it holds, erases or Processes Personal Data.
ONGOING INTERNAL PROCEDURE

The Data Controller should consider the following matters:

  • is there a record of when the Personal Data it holds was recorded or last updated?
  • are all those involved with the collection and Processing of Personal Data, including people to whom they are disclosed as well as employees of the Data Controller, aware that the Personal Data may not necessarily be up to date and accurate?
  • are steps taken to update the Personal Data, for example, by checking back at intervals with the original source or with the Data Subject? If so, how effective are these steps?
  • if the Personal Data is out of date is it likely to cause damage or distress to the Data

    Subject?

TRANSFERS

Before Personal Data is transferred outside the DIFC the Data Controller should consider the following matters:

  • does it need a permit?
  • has the Commissioner of Data Protection at DIFC granted a permit to transfer the Personal Data?
  • has the Data Subject unambiguously consented to the proposed transfer?
  • is the transfer necessary for the performance of a contract between the Data Subject and the Data Controller?
  • is the transfer necessary or legally required on grounds important in the interests of the DIFC, or for the establishment, exercise or defence of legal claims?
  • is the transfer necessary in order to protect the vital interests of the Data Subject?
  • is the transfer intended to provide information to the public which is open to consultation?
  • is the transfer necessary to comply with any legal obligation?
  • is the transfer necessary to uphold the legitimate interests of the Data Controller recognised in the international financial markets?
  • is the transfer necessary to comply with auditing, accounting or anti-money laundering obligations that apply to a Data Controller?

For better web experience, please use the website in portrait mode