DIFC: DIFC publishes guidance on controller/processor obligations and data retention
The Dubai International Financial Centre ('DIFC') published, on 8 July 2022, a guidance on controller/processor obligations and agreements ('the Controller/Processor Guidance') and a guidance on retention and storage of personal data ('the Retention Guidance'). In particular, the Controller/Processor Guidance states that the DIFC Commissioner of Data Protection ('the Commissioner'), in producing the guidance, aims to assist controllers and processors subject to the Data Protection Law, DIFC Law No. 5 of 2020 ('the Law') and the Data Protection Regulations ('the Regulations') in complying with the obligations and contractual requirements required by Articles 23 to 25 of the Law. In this regard, the Controller/Processor Guidance covers the following:
- contractual requirements between controllers and processors, assisting both in understanding what needs to be included in their written agreements and why;
- controllers' liability when engaging processors; and
- processor and sub-processor autonomy and responsibilities.
Moreover, the Retention Guidance notes that it aims to assist organisations in the tasks of proper records management, data governance, and data security required to comply with the Law, and particularly, in complying with Articles 9 and 14 of the Law on data minimisation and data security. Furthermore, the Retention Guidance covers, among other things, the following topics:
- documentation of data and records filing;
- data security;
- quality assurance;
- data retention and destruction; and
- mobile devices, remote working, and removable media.