Personal Data Protection in the DIFC – FAQ

  1. What is Personal Data?

Any information referring to an identified or identifiable natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number and/or location data. Examples of personal data include, inter alia, a person’s name, date of birth, residential address marital status and/or academic information.

 

  1. Why protect personal data?

Personal data protection is an imperative part of any effective legislative system as the relevant laws enforce regulations to attempt to minimize the probability of an event where a data subject’s personal data falls into the wrong hands, which could result in identity theft, discrimination or even physical harm.

 

  1. What is Special Category Data?

Is a kind of personal data that reveals (or pertains to) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record and/or health and sex life.

 

  1. Difference between a controller and a processor of personal data?

A data controller regulates the procedures and purpose of using personal data while a processor processes any data that the data controller has given them. The data controller may also be the processor in the case that the personal data, after being collected by the controller, is processed internally without such processing being outsourced to another entity. Additionally, it is noteworthy to highlight that a controller is always responsible for the personal data outsourced to a processor.

 

  1. What are the major data protection compliance requirements imposed on a controller/processor?
  • Personal data must be processed lawfully, fairly, transparently, for a specified and legitimate reason explicitly declared to the data subject at the time such data is collected, processed in accordance with the relevant laws and kept secure and protected against unauthorized processing, loss and/or damage.
  • Where special categories of personal data are controlled/processed, the special requirements and procedures pertaining thereto are followed.
  • The data subject’s consent is explicitly procured for each purpose of processing. Additionally, the data subject is informed of his/her right to withdraw such consent and the method to withdraw such consent.
  • The controller/processor should maintain compliance with the applicable laws, maintain appropriate controls, policies and procedures concerning the protection of personal data, ensure sufficient data security measures are in place and/or appoint a data protection officer (“DPO”) when required.

 

  1. What is a DPO and when to appoint one?

A DPO is a person appointed by a controller and/or Processor to independently oversee relevant data protection operations and ensure its compliance to the applicable laws.

Furthermore, other than being a DIFC Body, a DIFC entity is required to appoint a DPO where:

  • the DIFC entity engages in one or many High Risk Processing Activities and/or
  • when directed to appoint one by the DIFC Commissioner regardless of whether or not the DIFC entity is engaged in High-Risk Processing Activities.

 

  1. What are High Risk Processing Activities?

High Risk Processing Activities is where one or more of the following applies:

  • processing of personal data includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of data subjects or renders it more difficult for data subjects to exercise their rights;
  • a considerable amount of personal data will be processed (including staff and contractor personal data) and where such processing is likely to result in a high risk to the data subject, including due to the sensitivity of the personal data or risks relating to the security, integrity or privacy of the personal data;
  • the processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
  • a material amount of special categories of personal data is to be processed.

 

  1. What is the notification for processing personal data?

Every DIFC entity must notify the DIFC Commissioner (and keep the latter updated on the earlier of the entity’s anniversary or a change in its data control/processing habits) of whether or not it processes personal data. More specifically, if it does, the entity will be required to notify the Commissioner of:

  • the scope of personal data it processes, its activities and operations;
  • if it processes any special category data;
  • if it transfers personal data outside the DIFC;
  • the policies, procedures and accountability process enforced within.

 

  1. What happens incase of a personal data breach?

Where a breach that compromised the personal data controlled/processed by a DIFC entity has occurred, the following must be observed:

  • the controller needs to notify the DIFC Commissioner as soon as practical or the processor needs to notify the controller as soon as practical (as applicable);
  • the controller/processor shall cooperate fully with any investigative process conducted by the DIFC Commissioner; and
  • if the breach is likely to result in a high risk to the security or rights of a Data Subject, the Controller needs to notify the data subject of such as soon as possible;

 

  1. What are the data subjects’ rights and how to exercise such rights?

A data subject has several rights in relation to its personal data that is controlled and/or processed by a DIFC entity under the applicable laws, most importantly:

  • the absolute right to withdraw its consent via notification of its desire to the controller/processor;
  • right to access, rectify and erase the personal data (subject to the provisions of the applicable laws);
  • right to object to Processing
  • right to be informed of what the personal data is used for and when being disclosed to third parties;
  • right to restrict processing of its personal data;
  • right to view the personal data collected by the controller; and
  • right to not be discriminated against.

A controller must make available to a data subject no less than 2 methods (such as telephone, email, post, online application link, etc…) through which a data subject can request the controller to exercise any one or more of the rights identified hereinabove.

 

  1. What are the data subjects’ remedial course(s) of action?

If a data subject believes that an illegitimate and/or non-compliant act has been effectuated in relation to his/her personal data, the data subject can lodge a complaint with the DIFC Commissioner in light of the following:

  • multiple data subjects affected by the same contravention may raise a complaint collectively;
  • the DIFC Commissioner shall decide on whether to attempt to mediate between the claimant(s) and the defendant(s) or investigate the complaint;
  • in light of the results of the mediation attempts or the investigation (as applicable), the DIFC Commissioner may issue a direction or declaration in accordance with the applicable law;
  • appeals against the DIFC Commissioner’s decision can be appealed in front of the courts within 30 days from the issuance of the decision; and
  • a data subject who has suffered damage and/or loss may seek compensation from the controller/processor in court.

 

Disclaimer: This publication does not provide any legal advice and it is for information purposes only. You should not rely upon the material or information in this publication as a basis for making any business, legal or other decisions. Any reliance you place on such material is therefore strictly at your own risk.

Author: Mohammed El-Dakamawy (former employee)

Share this post on: 

RELATED NEWS

Revolutionizing Cost Allocation in ICC Arbitration: The Dubai Court of Cassation’s Landmark Decision on Article 38

The Dubai Court of Cassation (DCC) has ruled that unilateral arbitration clauses, which grant one party exclusive discretion to choose arbitration as a dispute resolution mechanism, are unenforceable under UAE law. This decision emphasizes the importance of mutual consent and clarity in arbitration agreements, highlighting the need for fair and balanced drafting to ensure enforceability.

Jurisdiction of the Insurance Dispute Resolution Committees (IDRC) in the UAE: Scope and Territorial Competence

Challenging jurisdiction is a critical defense strategy that lawyers often evaluate at the outset of a case. This article explores the jurisdictional scope of the UAE’s Insurance Dispute Resolution Committees (IDRC) in light of Federal Decree by Law No. (42) of 2022 and the IA Board of Directors Decision No. (33) of 2019. It addresses whether IDRC branches in specific Emirates, such as Dubai, are territorially restricted or have nationwide competence. Drawing on recent case law, including Dubai Court of Cassation Case No. 96 of 2024, the analysis concludes that all IDRC branches operate with federal jurisdiction across the UAE, irrespective of their physical location.