NEWS October 04 2020

DIFC’s Data Protection Law

By Eimhéar O’Kane, Associate


As of Thursday 1st October 2020, all entities to whom DIFC Law No.5/2020 on Data Protection (the “DP Law”) applies, must ensure they are compliant with the changes introduced therein & be able to demonstrate this compliance.

The DP Law applies to “the processing of Personal Data by a Controller or Processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not”. It is important to note that the DP Law also applies to “a Controller or Processor, regardless of its place of incorporation [emphasis added], that Processes Personal Data in the DIFC as part of stable arrangements”. 

The DP Law (and its supporting regulations) update the DIFC’s previous data protection law and demonstrates a move towards implementation of more internationally recognised standards.

Similar to the EU General Data Protection Regulations, the DP Law is based on the principles of fairness & transparency, legitimate & lawful processing, accountability, accuracy, integrity and confidentiality.

The DP Law sets out detailed regulations in relation to a wide range of matters, including (but not limited to):

·         Registration of data controllers;

·         Rights of data subjects;

·         Transfer of data outside of DIFC; and

·         Duty to report data breaches.

Companies who process personal data in the DIFC must notify the appointed commissioner of this. The commissioner shall maintain a register of data processors & controllers for the purposes of supervision & regulation.

For ease of reference, “Processing” of Personal Data includes (but is not limited to) collection, recording, organisation, structuring, storage, consultation, use, disclosure, transfer, or destruction of data for a commercial purpose.

Data subjects are granted comprehensive rights under DP Law, these include right of access to their date, right to be forgotten (i.e. the erasing of their data), the right to object to the processing of their personal data and the right to withdraw consent. As part of steps to compliance, companies will need to ensure sufficient policies are implemented to raise awareness of these rights and to ensure they are adequately protected.

Similarly, companies (and the individuals employed therein) should be fully aware of their obligations to report a data breach and the conditions for doing so, including doing so “as soon as reasonably practicable”. Comprehensive guidance has been published by DIFC to assist with better understandings of this.

Sanctions for non-compliance with the DP Law can be substantial, with maximum fines ranging from US$ 20,000 to US$ 100,000 depending on the breach. In addition to this, compensation may be awarded to a data subject when damage has occurred because of a breach.

As an immediate step, entities should establish whether the law applies to them and carry out an investigation into what data they collect, how they collect it and decide what steps they need to take to comply with the DP Law as a matter of urgency.

You might also be interested in...
NEWS November 02 2020
Financing An International Trade
NEWS June 30 2020
Public Prosecution in Dubai
NEWS June 22 2020
Covid-19 & Force Majeure
NEWS June 15 2020
Use of Electronic Signatures
NEWS May 04 2020
Piercing the Corporate Veil
NEWS January 16 2020
Bona Fide Principle Prevails
NEWS September 04 2018
Franchising in the UAE
NEWS November 14 2018
Extradition Requests in the UAE
NEWS April 24 2018
Bankruptcy in the UAE
NEWS February 07 2018
Seminar: UAE Civil Procedures Law
NEWS March 19 2018
Recent Developments at the RDC
NEWS August 01 2018
Charities and Endowments in Dubai
NEWS September 17 2017
Our Litigation Team Award Winners
NEWS December 05 2022
Interest on Late Payments in the UAE
NEWS February 07 2024
Abu Dhabi Welcomes arbitrateAD

For better web experience, please use the website in portrait mode