DIFC Data Protection Law

This Law became effective on 1 July 2020. This Law repeals and replaces the Data Protection Law, being Law No. 1 of 2007, as it was in force immediately prior to the commencement of this Law (“the Previous Law”), and all Regulations made under the Previous Law from commencement of this Law.

The purpose of this Law is to provide standards and controls for the Processing and free movement of Personal Data by a Controller or Processor and protect the fundamental rights of Data Subjects, including how such rights apply to the protection of Personal Data in emerging technologies.

Data Protection Law is applicable to:
Any Processor or Controller incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not or

• Any business (regardless of its place of incorporation) which processes personal data within the DIFC as part of stable arrangements or
• For any Controller or Processor carrying out processing activity in DIFC, it includes transfers of Personal Data out of the DIFC or
• Any business which processes data on behalf of either of the above.

This Law does not apply to the Processing of Personal Data by natural persons in the course of a purely personal or household activity that has no connection to a commercial purpose.

Personal Data:

Any information referring to an identified or Identifiable Natural Person.

Data Subject:

The identified or Identifiable Natural Person to whom Personal Data relates.

Controller:

Any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.

Process, Processed, Processes and Processing (and other variants):

Any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction.

Third Party:

Any person authorized to Process Personal Data, other than Data Subject, Controller, Joint Controller, the Processor, or Sub-processor.

1. Right to withdraw consent (Article 32)
   The Data Subject may withdraw consent at any time by notifying the Controller in accordance with Article 12(5).
2. Rights to access (Article 33)
   Upon request, a Data Subject has the right to obtain from a Controller without charge and within one (1) month of the request about confirmation in writing as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed.
3. Right to rectification (Article 33)
   Data Subject have the right to have inaccurate personal data rectified.
4. Right to deletion (Article 33)
   The Data Subject has the right to require the Controller to erase the Data Subject’s Personal Data.
5. Right to object to Processing (Article 34)
   A Data Subject has the right to object at any time on reasonable grounds relating to his situation to Processing of Personal Data relating to him.
6. Right to restriction of Processing (Article 35)
   Data Subject shall have the right to require a Controller to restrict Processing.
7. Right to data portability (Article 37)
   A Data Subject shall have the right to receive Personal Data in a structured, commonly used and machine-readable format.
8. Right related to automated individual decision-making (Article 38)
   A Data Subject shall have the right to object to any decision based solely on automated Processing, including Profiling, which produces legal consequences concerning him or other seriously impactful consequences and to require such decision to be reviewed manually.
9. Right to Non-discrimination (Article 39)
   A Controller may not discriminate against a Data Subject who exercises any rights under the Act.

A DPO shall be appointed by:

1. DIFC Bodies, other than the Courts acting in their judicial capacity; and
2. A Controller or Processor performing High Risk Processing Activities on a systematic or regular basis.

A DPO must have knowledge of this Law and its requirements and shall ensure a Controller or Processor monitors compliance with this Law.

Where a Controller is required to appoint a DPO under the Act, the DPO shall undertake an assessment of the Controller’s Processing activities, at least once per year (“the Annual Assessment”), which shall be submitted to the Commissioner.

The details of these fines are listed under Schedule 2 of the Law. The new law sets a maximum fine of USD 100,000 for administrative breaches, with additional scope for larger fines (unlimited) for more serious violations.

The law adds the ability for compensation claims to be made by or on behalf of data subjects.

Data Protection compliance is not a one-time requirement for organizations incorporated with DIFC or operating within DIFC. To avoid any penalties or legal actions, one must follow Data Protection regulations and maintain compliance on an ongoing basis.

Organizations must also know the existing and upcoming Data Protection compliances across countries as data movement occurs on a global level and data protection regulations differ in one way or another as per the law of the land.