Dubai International Financial Centre - Data Protection Overview
1. Governing Texts
The main data protection law in the Dubai International Financial Centre ('DIFC') is the DIFC Data Protection Law No. 5 of 2020 ('the Law'), along with the Data Protection Regulations 2020 ('the Regulations') which came into effect on July 1, 2020. The Law which entered into force on October 1, 2020, brings the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
The processing of personal data in the DIFC is governed by the Law and the Regulations.
The DIFC has published various materials on its website on matters relating to data protection available on the Guidance section of the DIFC's website, including:
- Guide to Data Protection Law, DIFC Law No. 5 of 2020 and Data Protection Regulations 2020;
- A complete guide to data protection notifications ('the Data Protection Notification Guide'); and
- A Complete Guide to Data Protection Notifications ('the Guide').
1.3. Case law
2. Scope of Application
The Law applies to identifiable living persons who can be identified, directly or indirectly.
The Law applies to any entity operating or conducting business in or from the DIFC as part of stable arrangements, regardless of whether the actual processing takes place in the DIFC or not, or to controllers and processors, regardless of their place of incorporation, where personal data is processed in the DIFC as part of stable arrangements, other than on an occasional basis.
The Law generally applies to the processing of any personal data, (information referring to an identified or identifiable natural person) as well as the processing of special categories of personal data (personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade union membership, health or sex life, and genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person), and covers any operation or set of operations performed upon personal data, whether or not by automated means, in relation to processing activities.
3.1. Main regulator for data protection
The Commissioner of Data Protection ('Commissioner') supervises and monitors compliance with the Law and the Regulations.
3.2. Main powers, duties and responsibilities
The Commissioner has, among others, the following powers, duties, and responsibilities:
- auditing a controller or processor;
- conducting investigations and inspections to verify compliance with the law;
- issuing directions and warnings as well as making recommendations to controllers and processors;
- issuing a finding or making a declaration of contravention or no contravention of the Law;
- initiating proceedings for the contravention of the law before the DIFC court;
- imposing fines for non-compliance with directions, laws, or regulations; and
- initiating a claim for compensation on behalf of a data subject before the DIFC court where there has been a contravention of the Law to the detriment of the data subject.
The complete set of powers, duties, and responsibilities of the Commissioner can be found under Article 46 of the Law.
4. Key Definitions
The Law, in Section 3 of Schedule 1, provides for the following concepts which are consistent with the GDPR:
Sensitive data: While the law does not define sensitive data, special categories of personal data is defined as personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade union membership, and health or sex life.
Data protection officer: a data protection officer ('DPO') appointed by a controller, including a joint controller, or processor to independently oversee relevant data protection operations.
5. Legal Bases
Article 12 of the Law addresses consent. Specifically, it states that consent must be freely given by a clear affirmative act that shows an unambiguous indication of consent.
Processing of personal data is permitted if processing is necessary for the performance of a contract to which a data subject is a party, or in order to take steps, at the request of a data subject, prior to entering into such contract.
Processing of personal data is permitted where processing is necessary for compliance with the applicable law that a controller is subject to.
Processing of personal data is permitted if processing is necessary to protect the vital interests of a data subject or of another natural person.
Processing of personal data is permitted if processing is necessary for substantial public interest reasons that are proportionate to the aims pursued, respects the principles of data protection, and provides for suitable and specific measures to safeguard the rights of the data subject.
The Law permits personal data to be processed for a legitimate interest pursued by a controller to whom the personal data has been made available except, where such interests are overridden by the interests or rights of a data subject.
Examples of legitimate interest as provided in Article 13 of the Law:
- where a controller, who is part of a group, may have a legitimate interest in transferring personal data within its group for internal administrative purposes; or
- where the processing of personal data is necessary and proportionate to prevent fraud or ensure network and information security.
Interest of the DIFC
Processing is necessary for:
- performance of a task carried out by a DIFC body in the interests of the DIFC;
- exercise of a DIFC body's powers and functions; or
- the exercise of powers or functions vested by a DIFC body in a third party to whom personal data is disclosed by the DIFC body.
Data controllers must process personal data in a manner that is fair, lawful, and transparent. Personal data must be processed for specified, explicit, and legitimate purposes determined at the time of collection, on the basis of a lawful ground for legitimate processing as set out in the Law (different grounds apply to the processing of special categories of personal data). Certain information must be provided to data subjects about the manner and purposes for which their data will be processed, including where the data is not collected directly from the data subject. In particular, at, or before the time personal data is collected from a data subject, a data controller should take reasonable steps to ensure the data subject is aware of:
- the identity of the data controller and how to contact it;
- the fact that the data subject is able to gain access to their personal data;
- the purposes for which their personal data is collected;
- other parties to whom the data controller usually discloses data of that kind; and
- the main consequence for the data subject if all or part of the data is not provided.
Data controllers must implement appropriate technical and organizational measures to protect personal data against loss or unauthorized access, and must only engage data processors providing sufficient guarantees in respect of technical security and organizational measures.
7. Controller and Processor Obligations
Data controllers have a general duty to notify the Commissioner of their personal data processing operations via the DIFC client portal, specifically, in relation to transfers of personal data outside of the DIFC to recipients which are not subject to laws or regulations which ensure an adequate level of protection.
Controllers and processors are required to register with the Commissioner by filing a notification of processing operations, which must be kept up to date through amended notifications as per Article 14(7) of the Law. In particular, Sections 3.1.1 and 3.1.2 of the Regulations list the information that should be included in the notification to the Commissioner. Additionally, Section 3.1.2 of the Guide states that DIFC entities must indicate if they process any sensitive personal data and follow notification instructions accordingly.
In this regard, the notification must be provided to the Commissioner (Section 3.1.3 of the Regulations):
- as soon as possible and in any event within 14 days of commencing the personal data processing;
- on every anniversary of the initial notification, where the personal data processing is to continue in the subsequent year; and
- as soon as possible and in any event within 14 days of any personal data processing being processed in a manner different from that described in the initial notification.
In addition, Article 14(8)(b) of the Law requires data processing notifications to be accompanied by a fee and Appendix 1.1 of the Regulations outlines those details in relation thereto.
The maximum fine for failure to notify the Commissioner of the processing of personal data is $25,000 (Schedule 2 of the Law).
Further guidance on notifications is available on the DIFC website.
The Law permits the transfer of personal data to a non-adequate country outside the DIFC, provided that sufficient safeguarding mechanisms are put in place, including among other mechanisms:
- a legally binding instrument between public authorities;
- binding corporate rules ('BCRs'); or
- standard data protection clauses as adopted by the Commissioner.
The Commissioner has suggested a set of standard clauses to be applied to contractual or other arrangements that require the transfer of personal data outside of the DIFC.
The Law also creates a new exceptional basis for transferring personal data outside the DIFC, even to jurisdictions that do not offer adequate protection and without the data subject's consent, where the data controller can demonstrate a compelling legitimate interest and subject to a number of other limitations, such as a Data Protection Impact Assessment ('DPIA'), notification to the regulator, and non-recurrence of the transfer.
The Dubai Financial Services Authority's Rulebook Modules includes provisions on the outsourcing of material functions by certain licensed persons, however, it does not specifically address the protection and disclosure of personal data in the context of outsourcing.
Data controllers must maintain internal records of their data processing operations.
The Law requires a controller to conduct a DPIA prior to conducting high-risk processing activities.
High-risk processing activities include:
- processing that includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a data subject or renders it more difficult for a data subject to exercise their rights;
- a considerable amount of personal data will be processed (including staff and contractor personal data) and where such processing is likely to result in a high risk to the data subject, including due to the sensitivity of the personal data, or risks relating to the security, integrity, or privacy of the personal data;
- the processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person, or similarly significantly affect the natural person; or
- a material amount of special categories of personal data is to be processed.
In this regard, a controller shall carry out a review to assess if the processing is performed in accordance with a DPIA (Article 20(10) of the Law):
- on a regular basis, proportionate to the extent and type of processing the controller conducts; or
- when there is a change in the risk related to the Processing operations.
A new DPIA is not required unless applicable law requires that it is necessary to carry out such an assessment prior to undertaking processing activities, where:
- processing has a lawful basis in applicable law to which a controller is subject;
- applicable law regulates the specific processing operation or set of operations in question; and
- a DPIA has already been carried out as part of a general impact assessment in the context of the adoption of that lawful basis.
The Commissioner can publish a list of categories or types of data that do not require a DPIA, however, such a list has not yet been published.
A DPIA shall contain at least the following details (Article 20(6) of the Law):
- a systematic description of the foreseen processing operations and the purpose(s) of the processing, including, where applicable, the legitimate interest pursued by a controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purpose(s);
- identification and consideration of the lawful basis for the processing, including:
- where legitimate interests are the basis for processing, analysis, and explanation of why a controller believes the interests or rights of a data subject do not override its interests; and
- where consent is the basis for processing, validation that such consent is validly obtained, consideration of the impact of the withdrawal of consent to such processing and of how a controller will ensure compliance with the exercise of a data subject's right to withdraw consent;
- an assessment of the risks to the rights of data subjects; and
- the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Law, taking into account the rights and legitimate interests of data subjects and other concerned persons.
Controllers are required to consult the Commissioner where a DPIA indicates that, despite taking the measures referred to in Article 20(6)(e) of the Law, the risk to data subject rights remains particularly high and the controller has either already carried out, wishes to commence or to continue a processing activity (Article 21(1) of the Law). When doing so, the controller must provide the Commissioner with the information in Article 21(9) of the Law.
Cessation of processing
Where a controller or processor seeks to rely on Articles 22(4)(b) or 22(4)(c) of the Law, as exceptions to the requirement of securely and permanently deleting, anonymizing, pseudonymizing, or encrypting personal data, or putting the same beyond further use, they must conduct a DPIA in accordance with Article 20 of the Law before doing so (Article 22(5) of the Law).
Further guidance on DPIAs is available on the DIFC website.
It is mandatory for data controllers to appoint a DPO where high-risk processing activities will take place, and Article 16(8) of the Law requires controllers or processors to publish the contact details of their DPO in a manner that is readily accessible to third parties.
Generally, the DPO should be a resident in the UAE, however, the Law recognizes that, in some cases, organizations will already have an appointed DPO outside the UAE and so allows for such function to be provided on an international basis.
The DPO must have sufficient expertise, independence, and resources to effectively and objectively perform its duties. The DPO is also required to conduct the 'controller annual assessment' under Article 19 of the Law and any necessary DPIAs.
Furthermore, a DPO must:
- monitor a controller or processor's compliance with the Law, any privacy-related laws/regulations, and privacy-related policies, which includes the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits (Article 18(3) of the Law);
- inform and advise a controller or processor and its employees who carry out processing, of their obligations under the Law and other data protection provisions, including where the organization is subject to overseas provisions with extra-territorial effect;
- provide advice, where requested in relation to DPIAs (Article 18(3) of the Law);
- be able to perform their duties and tasks in an independent manner, and be able to act on their own authority (Article 17(2) of the Law); and
- be responsible for overseeing DPIAs (Article 20(3) of the Law) and provide advice in relation to the same (Article 18(3) of the Law).
Note that, where no DPO is appointed, data controllers are still required to clearly allocate responsibility for oversight and compliance with respect to data protection duties and obligations under the Law. Nonetheless, Section 4(5) of the Data Protection Notification Guide states that it is recommended for organizations to appoint a DPO as best practice.
Schedule 2 of the Law notes that the maximum fine for failure to appoint a DPO is $50,000.
There is a general obligation to notify the Commissioner of every personal data breach, in this regard, data controllers or data processors carrying out processing at the relevant time will need to notify both the Commissioner and the relevant data subjects in the event of certain data security incidents.
Article 22(1) of the Law states that a controller is required to permanently delete personal data where the basis for processing changes, ceases to exist, or where the controller is required to cease processing due to the exercise of a data subject's rights. Article 22(4) of the Law provides exceptions for instances where the controller will not be required to delete personal data. Further, the data subject has the right to require the controller to erase the personal data under Article 33 of the Law.
Controllers and processors are expected to have in place policies and processes for managing personal data to ensure that personal data is permanently deleted.
Further guidance on the retention and storage of personal data is available on the DIFC website.
Article 11 of the Law stipulates conditions that must be satisfied in order to process special categories of personal data, for example, processing for the purposes of the data subject's employment. Criminal conviction data is considered a special category of personal data.
In particular, special categories of personal data may not be processed unless one of the grounds listed under Article 11 of the Law applies.
Where the processing is to be carried out on behalf of a data controller by a data processor, the processing needs to be governed by a legally binding written agreement between the data controller and the data processor. A data controller shall only enter into agreements with data processors that provide sufficient assurances to implement appropriate technical and organizational measures that ensure the processing meets the requirements of the Law and protects a data subject's rights.
In particular, the written agreement must make clear all relevant aspects of the processing that is taking place, as well as any instructions, commitments to provide accountability and confidentiality, to secure the personal data being processed, to comply with requests for information or audits to the extent required by applicable laws, and generally to comply with data protection principles as set out in the Law and any associated guidance.
Further guidance on controller/processor contracts is available on the DIFC website.
8. Data Subject Rights
Data subjects have the right to be informed before personal data relating to them is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing and should be given the right to object to such disclosures or uses.
Data subjects have the right to obtain from the controller, without charge and within one month of a request, confirmation whether personal data relating to them is being processed as well as a copy of the personal data in electronic form.
Data subjects have the right for the personal data relating to them to be rectified by the controller unless it is not technically feasible to do so.
Data subjects have the right to require the controller to erase the personal data relating to the data subject where:
- the personal data is no longer necessary for the purposes for which it was collected;
- where the data subject has withdrawn consent;
- processing of the personal data is considered unlawful, or the personal data is to be deleted in order to comply with the laws; or
- the data subject objects to the processing and the controller has no legitimate overriding grounds to continue processing.
Data subjects have the right to object, on reasonable grounds, at any time to the processing of their personal data in certain circumstances.
Data subjects have the right to receive personal data, that has been provided to a controller, in a structured and machine-readable format where the processing is based on the data subject's consent or the performance of a contract and is carried out by automated means.
Data subjects have the right to object to any decision based solely on automated processing, including profiling, which produces legal consequences concerning them or would have impactful consequences.
Right to restriction of processing
Data subjects have the right to require a controller to restrict processing in particular circumstances.
Right to withdraw consent
Data subjects have the right to withdraw their consent at any time by notifying the controller, where the basis for processing their personal data is consent.
Right of non-discrimination
Data subjects have the right not to be discriminated against when exercising their data subject rights. Data controllers may not, as a result of a data subject exercising their rights:
- deny any goods or services to that data subject;
- charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
- provide a less favorable level or quality of goods or services to that data subject; and
- suggest that the data subject will receive a less favorable price or rate for goods or services or a less favorable level or quality of goods or services.
Right to lodge a complaint with the Commissioner
Data subjects have the right to lodge a complaint with the Commissioner when they contend that there has been a contravention of the Law or an alleged breach of their rights under the Law.
The Commissioner may issue warnings, directions, or recommendations and, in the case of serious breaches of the Law or the Regulations, initiate proceedings before the DIFC courts, impose fines, or bring claims for compensation on behalf of affected individuals. The DIFC courts may issue any order it considers appropriate in the circumstances.
The Law provides for maximum fines for an administrative breach by either a data controller or data processor of $100,000 with the Commissioner retaining the discretion to issue larger fines for more serious contraventions. Additionally, where material harm is caused, compensation to be paid directly to data subjects may be awarded by the DIFC courts.
The Law deviates from the position in the GDPR which provides that a data controller or data processor is exempt from liability if it can prove that it is not, in any way, responsible for the event giving rise to the damage. Instead, under the Law, data controllers are legally responsible to data subjects for all processing.
Please see additional guidance on fines and sanctions on the Commissioner's guidance page.