DIFC: Round-up of guidance on the DIFC's data protection law and regulations – Part 2
The Dubai International Financial Centre ('DIFC') is a Financial Free Zone within the UAE, which itself is a Federation composed of seven Emirates. Being a Financial Free Zone means that UAE federal civil and commercial law does not apply, and the DIFC is able to create its own legal and regulatory framework for all civil and commercial matters. On 21 May 2020, the DIFC Data Protection Law No. 5 of 20201 ('the Law') was enacted in the DIFC and came into effect on 1 July 2020 in addition to the Data Protection Regulations 20202 ('the Regulations'), (collectively, 'DIFC Legislation'). In addition, the DIFC has published several guidance materials3 relevant to the implementation of DIFC Legislation. The Law introduces various requirements, notably bringing the DIFC into closer alignment with the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The Law became enforceable from 1 October 2020.
Part 1 of this Insight series on DIFC legislation and available guidance and materials focused particularly on data protection principles, data security, notification, breach, and Data Protection Impact Assessment ('DPIAs') requirements under the Law and Regulations of the DIFC.
This Insight article provides a round-up of the relevant available guidance and materials in relation to valid consent, individuals' rights, and data protection officers ('DPOs') under the Law and Regulations of the DIFC, with a particular focus on the following guides:
- A Guide to Data Protection Law, DIFC Law No. 5 of 2020 and the Data Protection Regulations ('the Guide')4;
- Guidance Relating to Data Subject Consent ('the Consent Guidelines')5;
- Guidance on Individuals' Rights to Access and Control ('the Individuals' Rights Guidance')6; and
- DPO Annual Assessment Guidance 2021 ('the DPO Guidance')7.
Part 1 of the DIFC Insight Series covered requirements regarding obtaining explicit consent in relation to the processing of sensitive personal data. This article will take a look at some other relevant guidelines with regards to obtaining valid consent more generally.
Consent is one of the six legal basis for the lawful processing of personal data in Article 10 of the Law. In this regard, the Consent Guidelines provide clarification on the wording of the requirements to obtain valid consent in Articles 10 and 12 of the Law.
Confined to an identified scope of personal data and for a specified purpose
Section 4.3 of the Consent Guidelines provides that it is up to the controller to make the scope of the personal data to be processed clear to the data subject when obtaining consent. Furthermore, the same section notes that a general consent to processing for an unspecified use or purpose, such as that included generally in contractual terms and conditions, will not be valid. In this regard, Section 4.4 of the Consent Guidelines specify that controllers must also clearly specify the purposes to which the consent relates and must accordingly be able to document and manage the secure and specific use of such personal data.
Additionally, Part 5 of the Law, which provides for requirements to inform data subjects, may also be relevant to obtaining consent during the process of personal data collection as noted by Section 4.3 of the Consent Guidelines.
Requirements for obtaining valid consent
Article 12 of the Law specifies requirements for obtaining valid consent.
Article 12(1) of the Law provides that "consent must be freely given by a clear affirmative indication of consent…". In this regard, Section 5.1 of the Consent Guidelines provides that if the data subject does not have a genuine choice, or is put in a position where he is compelled to consent or to endure negative consequences otherwise, then the consent will not be valid.
Furthermore, in the Section 5.1 of the Consent Guidelines the Commissioner notes the following in relation to this requirement:
- compliance documentation relating to the consent requirements should be easily distinguishable and distinct from contractual terms and conditions;
- consent is unlikely to be a good basis for employers to rely on given the imbalance of power between an employer and employee; and
- failing to un-tick a pre-ticked consent box does not constitute a clear affirmative act indicating consent.
Article 12(2) of the Law provides that a controller must be able to demonstrate that consent was given freely.
This places the burden of proof of establishing and demonstrating valid consent on the controller as per Section 5.3 of the Consent Guidelines. Notably, this means that if the controller obtained consent orally, then further measures need to be taken to demonstrate that consent had been freely given.
Consent for multiple purposes
Article 12(3) of the Law provides that if processing is intended to cover multiple purposes, consent must be obtained for each purpose […].
Section 5.4 of the Consent Guidelines clarifies that with regards to this requirement, the broader the purposes the consent is sought for, the more granular the consent needs to be. Additionally, the data subject should be able to consent to some purposes and not others, requiring separate consent for each along with clear and sufficient information to access each consent request.
Duration of consent
In relation to Article 12(6) of the Law, Section 6 of the Consent Guidelines notes that consent should not be presumed to last indefinitely but should be assessed on an ongoing basis by the controller by evaluating what period the data subject would reasonably expect to be covered by their given consent. In this regard, such an assessment should be done on a case by case basis, rather than assigning specific shelf-lives for consent, taking into account the volume and nature of personal data concerned, the nature of the processing, and the controller's resources.
Requirements for withdrawal of consent
Article 32 of the Law sets out data subjects' right to withdraw consent, while Article 12(5) of the same requires controllers to inform data subjects of this right and how to exercise it, at the time consent is obtained. In this regard, Article 40 of the Law provides that a controller must make available a minimum of two methods by which data subjects may contact the controller to exercise their rights.
As such, Section 7.2 of the Consent Guidelines notes that there is no guarantee that ongoing processing based on consent will remain lawful for any specific time period, since consent can be withdrawn at any time, and therefore controllers may want to consider what other legal basis they can rely on for processing.
However, the same section further warns that controllers should avoid an approach where consent is used but another legal basis for processing is relied on as a back-up, as this may hinder compliance with the information requirements in Articles 29 and 30, due to lack of clarity, and may make the exercise of data subject rights more complex.
Accordingly, the Consent Guidelines note that if neither the contractual legal basis nor the legitimate interest basis applies, the controller may then wish to consider consent as a legal basis for processing personal data.
The Law provides for the following data subject rights:
- right to access (Article 33(1) of the Law);
- right to rectification (Article 33(1)(c) of the Law);
- right to erasure of personal data (Article 33(2) of the Law);
- right to object to processing (Article 34 of the Law);
- the right to restriction of processing (Article 35 of the Law);
- right not to be subject to automated processing (Article 38 of the Law); and
- right to data portability (Article 37 of the Law).
The Individuals' Rights Guidance addresses how data subjects may exercise these rights and how controllers may respond and among other things, makes particular clarifications on the rights to access, rectification, and objection mentioned below.
Right to access
The right to access, exercise of which is often referred to as subject access requests ('SARs'), generally refers to the data subject's right to receive confirmation from the controller as to whether their personal data is being processed and if so, the right to access that personal data along with the obtaining the information outlined in Article 33(1) of the Law.
Section 2.1 of the Individuals' Rights Guidance notes that though no specific format required for SARs, what is important is for both parties, the requestor and the controller, to understand the request to ensure an appropriate response.
Moreover, Section 2.1 of the same highlights steps that may be taken in order to appropriately respond to SARs:
- verify the identity of individuals submitting SARs before handing over any personal data;
- refine the scope of the personal data requested by asking questions to get a better understanding of the request (compliance with the SAR is only required once such information has been received), and ensure an adequate response that is useful and informational;
- search for the personal data requested, and notify the individual of whether the search will entail disproportionate measures and any next steps to resolve the issue; and
- respond in an intelligible form, having pre-agreed the format of the response with the individual requestor in advance if possible.
With regards to exclusions in relation to this right, Section 2.3 of the Individuals' Rights Guidance states that entities may exclude data that doesn't qualify as personal data from their response to the SAR, such as anonymous data, internal notations, and third-party data. In this regard, where any information is redacted, the SAR response must clearly and fully explain the fact that information has been withheld and the reasons why.
Furthermore, Section 2.3 of the same provides that any withholding of data due to an exemption or restriction in the Law should first be approved by the entity's DPO or another suitably qualified person.
Section 2.6 of the Individuals' Rights Guidance further addresses prevalent issues with employee SARs and clarifies, with examples, the meaning of 'manifestly unfounded' and 'excessive' in the context of the exemption in Article 33(8) of the Law, and what is regarded as 'appropriate fees' for complex, excessive, unfounded, or repetitive SARs in 33(8)(a) of the Law.
Right to rectification
Rectification is the right of individuals to have inaccurate personal data rectified, or completed if it is incomplete.
Section 3.1 of the Individuals' Rights Guidance notes the following best practices with regards to the response of an entity to this right:
- verify the accuracy of data by whatever factual means available, including discussions with, and collecting data from, individuals;
- if the data is linked to an opinion, determine whether the data is indeed inaccurate and needs to be rectified;
- while the above is in progress, restrict the processing of the personal data in question whilst verifying its accuracy, whether or not the individual has exercised their right to restriction; and
- when accuracy is established, let the individual requestor know whether or not it will be amended.
Furthermore, Section 3.1 of the Individuals' Rights Guidance outlines that restricting can be achieved by:
- temporarily moving the data to another processing system;
- making the data unavailable to users; or
- temporarily removing published data from a website.
Right to object
Individuals may object at any time on reasonable grounds to the processing of personal data relating to them and have the right to be informed before personal data is disclosed for the first time to third parties or used for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses (Article 34(1) of the Law).
The right to object only applies in certain circumstances as per Article 34(1)(a) of the Law, however, it may be limited in other situations, such as where the processing is for (Section 3.4 of the Individuals' Rights Guidance):
- a task carried out in the public interest;
- the exercise of official authority;
- legitimate interests of the processor or a third party; or
- research or statistical purposes.
The same section further notes that such determinations should be made with the review and approval of the DPO or other suitably qualified persons, having assessed the impact on the individual’s rights of limiting their objection.
Section 5.1 of the Individuals' Rights Guidance notes that in line with SARs, individuals may request for any of the above rights verbally or in writing, and responses must be provided within one month of the request and free of charge.
Furthermore, and in relation to fees that responding entities may charge, Section 5.2 of the Individuals' Rights Guidance states that data subjects should, without undue delay, be contacted to explain the decision to charge a fee, and compliance with a request is not required until the fee is received.
Article 16(2) of the Law provides that a DPO should be appointed by:
- DIFC bodies, other than the courts acting in their judicial capacity; and
- a controller or processor performing high risk processing activities on a systematic or regular basis.
Notwithstanding the above, Article 16(1) of the Law also provides that controllers or processors may elect to appoint a DPO.
In this regard, the DIFC website includes links to the High Risk Processing Guidance8, the HRP survey9, the DPO survey tool10, and a sample DPO job description11 that can help entities determine whether they are engaging in high risk processing.
Article 19 of the Law provides that if a DPO is appointed, they should undertake an assessment of the entity's processing activities at least once per year 'the Annual Assessment', which should be submitted to the Commissioner.
Section 3 of the DPO Guidance further provides that the Annual Assessment is available as a service request under the services tab of the DIFC Client Portal12 ('the Portal').
Furthermore, Section 4 of the DPO Guidance outlines the information required about processing activities that is needed to complete an Annual Assessment, which includes the following:
- information about personal data collection, sharing, deletion, and storage methods; and
- information to understand the nature and scope of processing activities, the context of processing, purposes for processing, and necessity and proportionality of the processing of personal data.
The same section further notes that each section of the Annual Assessment will guide DPOs with suggested responses, however more information can be included in text boxes, by uploading flow diagrams, policies, links to online notices and information, or anything else that may help the Commissioner's Office understand the processing activities involved.
Moreover, Section 5 of the DPO Guidance notes that DPOs should consider risks around the type(s) of processing the entity engages in.
The DIFC website also includes a sample DPO annual assessment13 that may guide DPO's towards fulfilling this requirement.
Lastly, Section 6 of the DPO Guidance clarifies how DPOs may submit the Annual Assessments, noting that once submitted as a 'Service Request' in the Portal, the Commissioner's office will review the submissions and may decide to further inspect certain entities based on the response and clarity of information provided, and the risks associated with the processing.
The DPO Guidance includes a few frequently asked questions ('FAQs') on DPOs and Annual Assessments.
Alice Muasher Privacy Analyst
1. Available at: https://www.dataguidance.com/legal-research/data-protection-law-difc-law-no5-2020
2. Available at: https://www.dataguidance.com/legal-research/data-protection-regulations-2020
3. Available at: https://www.difc.ae/business/operating/data-protection/guidance/
4. Available at: https://www.dataguidance.com/legal-research/guide-data-protection-law-difc-law-no-5-2020
5. Available at: https://www.dataguidance.com/legal-research/guidance-relating-data-subject-consent
6. Available at: https://www.dataguidance.com/legal-research/difc-individuals-rights-access-and-control-difc-personal-data-processing
7. Available at: https://www.dataguidance.com/legal-research/dpo-controller-assessment-guidance-2021
8. Available at: https://www.dataguidance.com/legal-research/high-risk-processing-activities
9. Available at: https://www.surveygizmo.com/s3/5795100/DP-Assessment-Tool-High-Risk-Processing-Activities
10. Available at: https://www.surveygizmo.com/s3/5699999/Data-Protection-Law
11. Available at:https://www.difc.ae/application/files/1516/3602/6165/Sample_Data_Protection_Officer_JD.pdf
12. Available at: https://portal.difc.ae/clientportal/s/login/
13. Available at: https://www.difc.ae/application/files/7316/2504/6868/DP_Annual_Assessment_template_-_FINAL_June_2021.xlsx