Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

DIFC: DIFC enacts Data Protection Law and Regulations

The Dubai International Financial Centre ('DIFC') announced, on 1 June 2020, that His Highness Sheikh Mohammed bin Rashid Al Maktoum had enacted DIFC Data Protection Law No. 5 of 2020 ('the Data Protection Law') and that the Board of Directors of the DIFC Authority has also issued new Data Protection Regulations ('the Regulations'). In particular, the DIFC noted that the Data Protection Law and the Regulations set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines, and adequate jurisdictions for cross-border transfers of personal data. 

Furthermore, the DIFC stipulated that the changes to the Data Protection Law and the Regulations establish the accountability of controllers and processors through compliance program requirements, and include provisions on the appointment of data protection officers where necessary, provisions on conducting Data Protection Impact Assessments ('DPIAs'), and impose contractual obligations that protect individuals and their personal data. Moreover, the permit options for cross-border data transfers and special category personal data processing have been removed and the Data Protection Law and the Regulations include appropriate data sharing structures between government authorities. In addition, the Data Protection Law and the Regulations introduce general fines for serious breaches of the Data Protection Law, in addition to or instead of administrative fines, as well as increased maximum fine limits.

Finally, the DIFC stated that the Data Protection Law will come into effect, from 1 July 2020, and that the Data Protection Law DIFC Law No. 1 of 2007, will remain in effect until this date. However, the DIFC noted that although the Data Protection Law will be effective from 1 July 2020, businesses to which it applies will have a grace period of three months, until 1 October 2020, to prepare to comply with it, after which the Data Protection Law will become enforceable.

You can read the press release here and the Data Protection Law here.