The Dubai International Financial Centre (DIFC) Data Protection Law 2020 (DP Law) applies to the DIFC financial services free zone in Dubai, United Arab Emirates and took effect on 1 July 2020. The DIFC DP Law protects the personal data held and processed by organisations that are registered in the DIFC as well as linked external organisations. New data protection rights include the right to access personal data, the right to data portability, the right to withdraw consent, the right to object to automated decisions (including profiling) and the right not to suffer discrimination for exercising data protection rights. Businesses have an overriding duty to demonstrate compliance with the data protection principles. The DIFC Commissioner of Data Protection is the regulator. Regulator enforcement starts on 1 October 2020.

1.What types or organisations are covered by DIFC DP Law?

The law applies to businesses that are registered in the DIFC or businesses that process personal data in the DIFC as part of stable arrangements. Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law.

2. What types of data or information are covered by DIFC DP Law?

The DIFC DP Law protects personal data which is defined as information that identifies or makes living individuals identifiable. Identified or identifiable means reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors about an individual’s biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.

3.What are the main DIFC DP Law obligations for businesses?

Businesses must:

  1. Comply with additional data protection principles of accountability (demonstrate compliance), transparency and process personal data in line with the rights of individuals.
  2. Appoint a Data Protection Officer (DPO), if they are DIFC bodies or carry out high risk processing on a systematic or regular basis. Other controllers or processors may appoint DPOs.
  3. Report data breaches as soon as practicable in the circumstances to the DIFC Commissioner of Data Protection and to individuals affected (if the breach is a high risk to security or individual rights).
  4. Register with the regulator and publish detailed data protection notices.
  5. Complete Data Protection Impact Assessments (DPIAs) for high risk data processing.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with DIFC DP Law?

Yes, in large part, but not completely. GDPR and DIFC DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. DIFC DP Law was enacted to include provisions that largely mirror GDPR. It is likely that the DIFC will make an application to the European Union (EU) for an adequacy decision to ease international data transfers between the DIFC and the EU. GDPR data mapping and records of processing activity logs can help to identify DIFC DP Law impacted personal data. GDPR Privacy Notices, policies and GDPR processes used to respond to GDPR rights can assist DIFC DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated.

5. Does the DIFC DP Law apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses process personal data and are registered in DIFC or process personal data in the DIFC as part of stable arrangements in the DIFC, then the DIFC DP Law will apply. The law also applies to businesses that process data on behalf of organisations registered in the DIFC or for organisations that process data in the DIFC as part of stable arrangements. The DIFC Commissioner for Data Protection can impose administrative fines of up to $100,000. DIFC Courts can order businesses to pay compensation to individuals.