DIFC: Round-up of guidance on the DIFC's data protection law and regulations – Part 1
The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020 in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). In addition, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.
This Insight article provides a round-up of the relevant available guidance and materials in relation to data protection principles, data security, notification, breach, and Data Protection Impact Assessment ('DPIAs') requirements under the Law and Regulations of the DIFC, with a particular focus on the following guides:
- A Guide to Data Protection Law, DIFC Law No. 5 of 2020 and the Data Protection Regulations ('the Guide');
- Complete Guide to Data Protection Notifications ('the Notifications Guide');
- Guidance Relating to Data Subject Consent ('the Consent Guidelines');
- Security Breach Guidance ('the Breach Guidance'); and
- High Risk Processing Guidance ('the High Risk Processing Guidance').
Scope of DIFC Legislation
The Law states that it is applicable to both controllers and processors in the DIFC, as well as entities outside the DIFC that process personal data as part of stable arrangements, other than on an occasional basis (Article 6 of the Law).
In this regard, Page 1 of the Guide expands on the meaning of stable arrangements noting that the term comes from a concept in law which depicts that a legally binding or recognised agreement, or relationship of an existing and valid sort may be enough to require the principles of the Law to be demonstrated in such an arrangement.
Furthermore, the Guide notes that while non-DIFC entities may be subject to the Law either directly or indirectly, they are not necessarily required to register or notify their operations to the Commissioner or to complete other administrative tasks. They may however be subject to fines, warnings, or public reprimand by way of their stable arrangements, either directly or indirectly (Page 1 of the Guide).
Principles of processing personal data
The Law sets out general requirements for the processing of personal data by controllers and processors and notes that personal data should be (Article 9 of the Law):
- processed in accordance with one of the legal bases outlined in Article 10 of the Law;
- processed lawfully, fairly, and in a transparent manner in relation to a data subject;
- processed for specified, explicit, and legitimate purposes determined at the time of the collection of the personal data;
- processed in a way that is compatible with the stated purposes;
- relevant and limited to what is necessary in relation to the stated purposes;
- processed in accordance with the application of data subject rights under the Law;
- accurate, and up to date, including via erasure or rectification, without undue delay;
- kept in a form that permits identification of a data subject for no longer than is necessary for the stated purposes; and
- kept secure, including being protected against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.
The Guide further expands on and clarifies some of the concepts outlined in the list above.
Processed lawfully, fairly, and in a transparent manner
The Guide notes that 'fairly' means that the paramount consideration is the consequence of the processing on the interests of data subjects, taking into account the purpose and nature of the processing (Page 5 of the Guidance).
Furthermore, 'lawfully' should be interpreted as a requirement to comply with all relevant rules of law relating to the purpose and ways in which the controller or processor processes personal data. In this regard, there are certain areas of law concerning the use of data that may be of particular relevance here and may depend on the relationship of the DIFC entity with data subjects, including (Page 6 of the Guidance):
- confidentiality arising from the relation of the DIFC entity and the data subject; and
- legitimate expectation, i.e. the expectation of the data subject as to how the relevant entity will use its personal data.
Moreover, 'in a transparent manner' is taken to mean that personal data is handled on the basis on which it was provided, i.e. on the basis of trust and an understanding that it is only used for the purpose specified. Notably, here the data subject's legitimate expectation as to how his/her personal data will be used is relevant to the assessment of whether this provision has been breached (Page 6 of the Guide).
Processed for specified, explicit, and legitimate purposes
Relevant and limited to what is necessary
The Guide states that this provision requires entities to seek to identify the minimum amount of personal data that is required to properly fulfil the purpose, noting that it is not acceptable to hold personal data on the basis that it may be useful in the future without knowing how it will be used (Page 8 of the Guide).
Accurate and up to date
The Guide notes that in relation to this provision, personal data is inaccurate if it is incorrect or misleading as to any fact, however entities would not be in breach of this provision if (Page 9 of the Guide):
- the entity had taken reasonable steps to ensure the accuracy of the personal data considering the purposes for which it was obtained; and
- the data subject has notified the entity that it knew its personal data was inaccurate and the personal data indicates that fact.
Furthermore, in seeking compliance with this provision, the Guide highlights that entities should consider whether(Page 9 and 10 of the Guide):
- there is a record of when the person data the entity holds was recorded or last updated;
- all those involved with the collection and processing of personal data are aware that the data may not necessarily be up to date or accurate;
- effective steps have been taken to update personal data; and
- if the personal data is out of date, it is likely to cause damage or distress to the data subject.
Kept in a form that permits identification of a data subject for no longer than is necessary
Entities are under an obligation to continuously consider the value of the personal data they have collected and to determine at appropriate stages whether the personal data they hold is still necessary for the purposes for which it was collected (Page 10 of the Guide).
Special category personal data
Further to Articles 11 and 12 of the Law, the Guide expands on the requirement of explicit consent in relation to special category data in Article 11(a) of the Law, noting that the consent should cover (Page 2 of the Guide):
- the specific details of processing;
- the particular type of personal data to be processed, or even the specific information itself; and
- the purpose of the processing and any special aspects of it that may affect the data subject, e.g. disclosures which may be made.
Notably, the Guide states that the Commissioner is of the view that explicit consent can be conveyed orally or in writing, however it is recommended that written consent from data subjects is obtained. Alternatively, the Guide notes that where consent is obtained orally, a detailed note of the relevant details of the consent should be retained (Page 13 of the Guide).
Furthermore, the Consent Guidelines provide that with regards to explicit consent (Section 4.5 of the Consent Guidelines):
- the data subject needs to undertake an affirmative act to clearly agree with the entity's request for consent, if any; and
- such a request should refer to the special categories of personal data to be processed and the specific purposes thereof.
Notably, Section 4.5 of the Consent Guidelines further state that consent which is inferred cannot be considered explicit consent.
Security of processing
Further to controllers' and processors' requirement to implement appropriate technical and organisational measures to safeguard personal data as per Article 14 of the Law, the Guide outlines what actions entities may take in fulfilling this requirement (Page 12 of the Guide):
- conduct risk assessments to identify the risk to personal data held by the entity and the consequences of a security breach;
- develop a security policy that implements measures, practices, and procedures to reduce the identified risk to security;
- train staff and management in security awareness, practices, and procedures;
- monitor and review compliance with the security policy, conducting periodic assessments of new security risks and the adequacy of existing security measures; and
- conduct internal audits to ensure compliance with the Law.
Moreover, in relation to the security of personal data, the Guide notes that this can consist of maintaining the following (Page 12 of the Guide):
- the personal data's physical security by adopting measures to prevent unauthorised access to premises and/or systems where personal data lies;
- measures to protect computer systems and networks that store, process, and transmit personal data from unauthorised access, modification, and disclosure;
- communications security measures to protect data transmissions from being intercepted and prevent unauthorised intrusions into computer networks;
- procedural and personal measures for limiting access to personal data by authorised staff for approved purposes and controls to minimise security risks; and
- reasonable steps to ensure the proper destruction of both paper and electronic data stored and available and have appropriate methods for its erase.
Notifications to the Commissioner
Registration with the Commissioner
The Notifications Guide notes that notification is the process by which an entity describes its manner of processing personal data (Section 1.1 of the Notifications Guide).
Initially, controllers and processors are required to register with the Commissioner by filing a notification of processing operations which should be kept up to date using the DIFC client portal5, the process for which is outlined in detail in Section 1.4 of the Notifications Guide (Articles 14(7) and (8) of the Law and Page 13 of the Guide).
Fees related to the notification should be paid at the time of registration6. The fee amount mainly depends on the type of entity and which category it falls into. DIFC registered entities must pay a fee of $1,250 upon registration and $500 for annual renewals of registration (Page 14 of the Guide).
Details on what the notification form should include can be found in Section 3 of the Notifications Guide.
Furthermore, the Notification Guide provides that DIFC entities must notify the Commissioner as soon as possible and in any event within 14 days of any personal data processing (Section 1.4 of the Notifications Guide). Additionally, any changes/amendments to the registration particulars must be notified to the Commissioner soon as possible and in any event within 14 days of the changes impacting in the initial notification, which incurs a fee of $100 for DIFC registered entities. Failure to keep a register entry up to date constitutes a violation of the Law (Section 1.4 of the Notifications Guide).
The Guide further notes that the DIFC client portal will remain the source for any relevant DIFC entity to receive communications, updates, and other helpful information generally and as it regards data protection (Page 13 and 14 of the Guide). The Guide also states that whenever such notifications are received by the Commissioner the details will be set out on the DIFC public register in order to act in part as a notification to data subjects that a relevant entity may be processing his/her personal data, which constitutes a form of accountability and ensures up to date information about the processing entity is available in order to assert any rights (Page 14 of the Guide and Section 2.3 of the Notifications Guide).
Notably, the Notifications Guide provides that even where a DIFC entity does not process any personal data, it must still submit a notification reflecting this status (Section 1.7 of the Notifications Guide).
Further details on the notification lifecycle can be found in Section 2 of the Notifications Guide.
Notification of personal data breaches
Controllers are required to notify the Commissioner of a personal data breach as soon as practicable in the circumstances, if such a breach compromises the data subject's confidentiality, security, or privacy (Article 41(1) of the Law). Similarly, processors are required to notify controllers without undue delay after becoming aware of a personal data breach (Article 41(2) of the Law).
The DIFC's security and breach reporting page7 may be of use to help entities assess whether they need to notify the Commissioner of a specific personal data breach and/or to report a personal data breach (Section 2 of the Breach Guidance). Section 2 of the Breach Guidance further outlines alternative ways in which a personal data breach may be notified.
Controllers are required to carry out DPIAs before undertaking high risk processing activities, defined in Schedule 1, Article 3 of the Law (Article 20(1) of the Law). Furthermore, the high risk processing activities detailed in Schedule 1, Article 3 of the Law are clarified and expanded in Section 3 of the High Risk Processing Guidance, with examples also provided in Schedule 2 of the same.
Moreover, a high-level decision tree is provided in Schedule 1 of the High Risk Processing Guidance to help entities assess whether they are undertaking a high risk processing activity.
Notably, a DPIA template8 is available on the DIFC website to assist entities in compliance with this requirement.
Alice Muasher Privacy Analyst
1. Available at: https://www.dataguidance.com/legal-research/data-protection-law-difc-law-no5-2020
2. Available at: https://www.dataguidance.com/legal-research/data-protection-regulations-2020
3. Available at: https://www.difc.ae/business/operating/data-protection/guidance/
4. Available at: https://www.difc.ae/online-data-protection-policy/
5. Available at: https://portal.difc.ae/clientportal/s/login/
6. Details on the fees attached to this notification obligation can be found at: https://www.difc.ae/business/operating/data-protection/forms-fees/ or in Section 2.2 of the Notifications Guide, and should be paid at the time of registration.
7. Available at: https://www.difc.ae/business/operating/data-protection/security-breach-reporting/
8. Available at: https://www.difc.ae/files/9815/9791/8020/Example_compliance_checklist_and_DPIA.xlsx