Data Protected - Dubai International Finance Centre
Last updated April 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
The DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020)(the “Data Protection Law”) and the DIFC Data Protection Regulations (the “Regulations”).
Entry into force
The Data Protection Law and the Regulations entered into force on 1 July 2020.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
Dubai International Financial Centre Authority (the “DIFC Authority”)
Level 14, The Gate
PO Box 74777
Dubai
United Arab Emirates
The DIFC Authority is responsible for implementing regulations related to the application of the Data Protection Law. The President of the Dubai International Financial Centre (the “DIFC”) is charged with appointing the Commissioner for the purposes of the Data Protection Law (the “Commissioner”) to administer the Data Protection Law.
Notification or registration scheme and timing
A controller or processor must register with the Commissioner by way of notification. This notification is maintained on a publicly available register by the Commissioner.
A controller or processor must notify the Commissioner where any personal data processing operation or set of operations occurs, involving: (i) the processing of personal data; (ii) special category data; or (ii) the transfer of personal data to a recipient outside the DIFC which is not subject to a data protection regime which ensures an “adequate” level of protection (see Restrictions on transfers to third countries, below). Such notifications must be updated annually and following any change in the manner of processing.
Controllers and processors must keep a record of their processing and make it available to their supervisory authority on request (subject to limited exemptions).
Exemptions to notification
Not applicable.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The Data Protection Law applies to the processing of personal data: (i) by controllers and processors incorporated in the DIFC regardless of whether any processing occurs in the DIFC or not; and (ii) by controllers and processors, regardless of their place of incorporation, if they process personal data in the DIFC as part of stable arrangements, other than on an occasional basis.
Processing “in the DIFC” occurs when the means or personnel used to conduct the processing activity are physically located within the jurisdiction of the DIFC.
Is there a concept of a controller and a processor?
Yes. The Data Protection Law contains the concept of a controller, who determines the purpose and means of processing, and a processor, who just processes personal data on behalf of the controller.
Both controllers and processors are subject to the rules in the Data Protection Law, but the obligations placed on processors are more limited.
Are both manual and electronic records subject to data protection legislation?
Are there any national derogations?
The Data Protection Law does not provide for general national derogations. However, the DIFC Authority’s Board of Directors is permitted to make regulations exempting a controller from compliance with the Data Protection Law. Furthermore, specified provisions of the Data Protection Law do not apply to the Commissioner, the DIFC Authority, the Dubai Financial Services Authority, the DIFC courts and any other person, body, office, registry or tribunal established under DIFC laws or established upon approval of the President of the DIFC that is not revoked (each, a "DIFC Body") where the application of those provisions would be likely to cause material prejudice to the proper discharge by those entities of their powers and functions under any laws administered by them.
The Data Protection Law does not apply to the processing of personal data by law enforcement authorities for the purposes of law enforcement, including the prevention, investigation, detection or prosecution of criminal offences and prevention of threats to public security.
_____________________________________________________________________ Top
Personal Data
What is personal data?
The Data Protection Law defines personal data as any data relating to an identified or identifiable natural person. An identifiable natural person is a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name or an identification number or to one or more factors specific to their biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.
The Data Protection Law expressly states it includes online identifiers.
Is information about legal entities personal data?
No. However the Data Protection Law may apply to any natural person acting as a sole trader or as a member of a partnership.
What are the rules for processing personal data?
All processing of personal data must comply with certain general principles similar to the general data quality principles. Personal data must be: (i) processed lawfully, fairly and transparently; (ii) collected for specific, explicit and legitimate purposes; (iii) processed in a manner not incompatible with those purposes; (iv) relevant and limited to what is necessary in relation to those purposes; (v) processed in accordance with the application of data subject rights; (vi) accurate and, where necessary, up to date; (vii) kept in an identifiable form for no longer than necessary; and (viii) kept secure.
The processing of personal data must also satisfy at least one of the following conditions for processing personal data: (a) carried out with the data subject’s consent; (b) necessary for the performance of a contract with the data subject; (c) necessary for compliance with a legal obligation; (d) necessary in order to protect the vital interests of the data subject or of another natural person; (e) in respect of a DIFC Body, necessary for the performance of a task carried out in the interests of the DIFC, or in the exercise of the functions of that DIFC Body, or powers vested in that DIFC Body or in a third party to whom the personal data is disclosed by the DIFC Body; or (f) necessary for the controller’s or third party's legitimate interests, except where overridden by the interests of the data subject.
Are there any formalities to obtain consent to process personal data?
The requirements for consent under the Data Protection Law are strict.
To be valid, consent must be freely given by a clear affirmative act that shows an unambiguous indication of consent so pre-ticked boxes are not acceptable. If the performance of an act by a controller, a data subject or any other party is conditional on the provision of consent to process personal data then consent will not be considered freely given with respect to any processing which is not reasonably necessary for the performance of such act or where the consent relates to excessive categories of personal data. The controller must be able to demonstrate that consent has been freely given.
If processing of personal data is sought for multiple purposes, then consent must be obtained for each purpose in a clearly distinguishable manner, in an intelligible and easily accessible form, using clear and plain language. If a controller is seeking consent for other matters not relating to the processing of personal data then any request for consent for processing of personal data must also be clearly distinguishable for the other matters, in an intelligible and easily accessible form, using clear and plain language. Finally, consent can be withdrawn at any time.
In practice, other processing conditions should be relied on where possible. Consent will only be an appropriate processing condition if the individual has a genuine choice over the matter, for example, whether to be sent marketing materials.
Are there any special rules when processing personal data about children?
The Data Protection Law does not impose any additional rules that are applicable when processing personal data relating to children.
Are there any special rules when processing personal data about employees?
No. However, it is possible to process special category personal data where it is necessary for carrying out the obligations and exercising the specific rights of a controller or a data subject in the context of the data subject's employment or the assessment of the working capacity of an employee.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
Sensitive personal data is referred to as “special category personal data” in the Data Protection Law. Special category personal data is personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.
Are there additional rules for processing sensitive personal data?
Special categories of personal data should not be processed unless the conditions for processing personal data are satisfied, as well as at least one of the following conditions is met: (i) the data subject has given explicit consent; (ii) the processing is necessary in order for the controller or the data subject to carry out its obligations or exercise its rights in the context of the data subject’s employment; (iii) the processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is unable to give consent; (iv) the processing is carried out by a non-profit-seeking body and relates to members of that body or persons with whom that body has regular contact (provided such personal data is not disclosed to any third party); (v) processing relates to personal data made public by the data subject; (vi) the processing is necessary in connection with legal claims; (vii) the processing is necessary for compliance with laws to which the controller is subject (provided the controller has given the data subject clear notice of such processing as soon as reasonably practicable unless this is prohibited); (viii) the processing is necessary for compliance with anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime; (ix) the processing is necessary for public health reasons or to assess the working capacity of an employee; (x) the processing is necessary to protect members of the public against financial loss due to improper conduct by persons concerned with the provision of certain financial services; (xi) the processing is proportional and necessary to protect a data subject from potential bias or inaccurate decision making; and (xii) the processing is necessary for reasons of substantial public interest that are proportionate to the aim(s) pursued provided the rights of the data subject are safeguarded.
Are there additional rules for processing information about criminal offences?
No. Information about criminal offences is considered special category personal data.
Are there any formalities to obtain consent to process sensitive personal data?
Consent to process special category personal data must be explicit. The general restrictions on consent, set out above, will also apply. This suggests a degree of formality, such as ticking a box containing the express words “I consent”. In its guidance on consent, the DIFC Authority indicated that consent which is inferred cannot be explicit consent. As such it is highly unlikely explicit consent could be obtained through a course of conduct.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
Both controllers and processors must appoint a data protection officer if: (i) they are a DIFC Body other than the DIFC courts; and (ii) they perform high risk processing activities.
High risk processing activities are activities that involve: (i) processing using new technologies which creates a materially increased risk to the rights of a data subject; (ii) processing a considerable amount of personal data that is likely to result in a high risk to the data subject; (iii) automated processing resulting in the conclusion of decisions that produce legal effects concerning the data subject or otherwise significantly affecting the natural person; and (iv) processing a material amount of special categories of personal data.
The DIFC Authority has issued guidance on high risk processing activities, here. [Note: This was updated 8 July 2022.]
What are the duties of a data protection officer?
The data protection officer must be involved in all data protection issues (including monitoring compliance with the Data Protection Law) and cannot be dismissed or penalised for performing its role. The data protection officer must be able to act independently, have direct access and report to senior management of the controller or processor. On request, a controller or processor must confirm the identity of its data protection officer to the Commissioner in writing.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
The Data Protection Law provides for a general accountability obligation under which a controller or a processor must not only comply with the Data Protection Law, but also be able to demonstrate it complies with it. This means ensuring suitable policies are in place supported by audit and training.
Are privacy impact assessments mandatory?
Yes. A data protection impact assessment must be conducted prior to undertaking any high risk processing activities (as defined above).
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
Upon commencing collection of personal data in respect of a data subject, controllers must provide data subjects with information substantially in line with the enhanced transparency information requirements in the GDPR (but amended in respect of the DIFC).
In particular, the controller must provide information about: (i) the identity of the controller; (ii) the contact details of the data protection officer, if applicable; (iii) the purpose and legal basis of the processing; (iv) legitimate interests or compliance obligations, if applicable; (v) the recipients or categories of recipients of the personal data; (vi) the categories of personal data processed; (vii) details of any intended transfer outside of the DIFC and, if applicable, the appropriate safeguards in place; (viii) the period for which data will be stored; (ix) a list of the data subject’s rights, including the right to make a subject access request, and to be “forgotten”; (x) the right to withdraw consent if this is the basis for processing; (xi) the right to complain to the Commissioner; (xii) whether provision of personal data is a statutory or contractual requirement, whether disclosure is mandatory and the consequence of not disclosing personal data; (xiii) details of any automated decision making, including details of the logic used and potential consequences for the individual; and (xiv) any further information necessary regarding the specific circumstances in which the personal data is processed (for example, direct marketing purposes), to ensure fair and transparent processing in respect of the data subject.
Largely similar information must be provided by a controller where personal data has been obtained from a party other than the data subject.
Information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. There is no explicit obligation to provide this information in English. However, there is a risk that information that is not in English or accompanied by an English translation may not be considered intelligible.
Rights to access information
Data subjects have a right to access copies of their personal data by making a written request to the controller. The initial request is free, though a charge can be made for subsequent requests. Controllers may refuse the request if it is manifestly unfounded or excessive. The response must be provided within a month, though this can be extended by two months if the request is complex.
Rights to data portability
Data subjects will also have a right to data portability where the condition for processing personal data is consent or the performance of a contract and is carried out by automated means. It entitles individuals to obtain any personal data they have provided to the controller in a structured, commonly used and machine-readable format. Individuals can also ask for personal data to be transferred directly from one controller to another. A controller is not required to provide or transmit personal data where doing so would infringe the rights of any other natural person.
Right to be forgotten
A data subject has the right to require the controller to erase his personal data in certain circumstances. However, those circumstances are relatively limited, for example, where the processing is no longer necessary in relation to the purposes for which it was collected, the processing is unlawful or, where the processing was based on consent, that consent is withdrawn and there are no other grounds for processing. Even where the right does arise, there are a range of exemptions, for example where there is a legal obligation to retain the personal data or where its erasure is not feasible for technical reasons (provided certain conditions related to disclosure are satisfied).
Objection to direct marketing
A data subject has the right to be informed before personal data is used on their behalf for the purposes of direct marketing. A data subject must also be expressly given the right to object to such use. A data subject can object to their personal data being processed for direct marketing purposes at any time. This includes profiling to the extent related to direct marketing.
Other rights
The Data Protection Law contains a number of other rights including the right to request the rectification, or restricting the use, of personal data where the processing does not comply with the provisions of the Data Protection Law. There is also a right to object to processing being carried out in the performance of a task carried out in the public interest or under the legitimate interests condition.
Finally, a data subject may not to be discriminated against for exercising his rights under the Data Protection Law.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
The Data Protection Law requires controllers and processors to implement appropriate technical and organisational measures to protect personal data against wilful, negligent, accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of or access to personal data and against all other unlawful forms of processing.
Specific rules governing processing by third party agents (processors)
The Data Protection Law states that the controller must, where processing is carried out on its behalf, choose a processor which provides sufficient assurances in respect of the technical and organisational measures that ensure compliance with the requirements of the Data Protection Law.
The controller must enter into a legally binding written agreement with its processor. The Commissioner has the power to publish standard contractual clauses which can be used for this purpose.
Notice of breach laws
A controller must notify the Commissioner of a personal data breach which compromises a data subject’s confidentiality, security or privacy, as soon as practicable.
A controller must notify the data subject, as soon as practicable, if the breach is likely to result in a high risk to his security or rights and promptly if there is any immediate risk of damage to the data subject.
A processor must, without under delay, notify the relevant controller if it becomes aware of a personal data breach.
The DIFC Authority has issued guidance on security breaches, here. [Note: A new version was issued 1 September 2023.]
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
The Data Protection Law contains restrictions on transborder dataflows. Transborder dataflows may take place where there is an adequate level of protection for the personal data, ensured by the laws and regulations applicable to the recipient. For this purpose, the Commissioner determines which jurisdictions have an adequate level of protection taking into account factors such as: (i) the rule of law, the general respect for individual's rights and the ability of individuals to enforce their rights via administrative or judicial redress; (ii) the access of a public authority to Personal Data; (iii) the existence of effective data protection laws and independent and competent data protection supervisory authorities; and (iv) any international commitments binding on such jurisdiction. A list of “adequate” data protection regimes is available on the DIFC Authority’s website.
Where there is an inadequate level of protection, transborder dataflows may only occur where: (i) the controller or processor has provided appropriate safeguards, like a legally binding instrument between public authorities, binding corporate rules approved by the Commissioner, the adoption of standard data protection clauses or by applying an approved code of conduct or by way of an approved certification mechanism; or (ii) one of the following derogations apply: (a) the data subject has given his explicit consent to the proposed transfer; (b) the transfer is necessary for the performance of a contract with the data subject or a contract concluded in the interests of the data subject; (c) the transfer is necessary for reasons of substantial public interest (such as the administration of justice and the exercise of a function conferred on a person by applicable laws; (d) the transfer is necessary or legally required on grounds important in the interests of the DIFC, or for the establishment, exercise or defence of legal claims; (e) the transfer is necessary in order to protect the vital interests of the data subject; (f) the transfer is made from a public register; (g) the transfer is necessary for compliance with any legal obligation to which the controller is subject or the transfer is made at the request of a regulator, the police or another government agency; (h) the transfer is necessary to uphold the legitimate interests of the controller recognised in the international financial markets except where such interests are overridden by legitimate interests of the data subject; or (i) the transfer is necessary to comply with applicable anti-money laundering or counter terrorist financing obligations or obligations relating to prevention or detection of any crime that apply to a controller or processor.
Finally, transborder dataflows may also occur where there is an inadequate level of protection and where none of the aforementioned conditions or derogations apply in limited and exceptional circumstances where such transborder dataflow: (a) is not repeating; (b) concerns only a limited number of data subjects; (c) is necessary for the purposes of compelling legitimate interests of the controller that are not overridden by the data subject's interests or rights; and (d) the controller has completed a documentary assessment of all the circumstances surrounding the data transfer and has provided suitable safeguards to protect the personal data.
Notification and approval of national regulator (including notification of use of Model Contracts)
A controller or processor must notify the Commissioner where any personal data processing operations involve the transfer of personal data to a recipient outside the DIFC which is not subject to laws and regulations which ensure an adequate level of protection.
Use of binding corporate rules
Yes, for the transfer of personal data to a member of a group outside the DIFC which is not subject to laws and regulations which ensure an adequate level of protection. Any such binding corporate rules must have been reviewed and approved by the Commissioner.
_____________________________________________________________________ Top
Enforcement
Fines
The Commissioner has the power to issue fines. Controllers may also be liable for payment of damages and compensation.
The current schedule of fines lists the maximum administrative fine as USD 100,000 for breaching provisions related to the statutory rights of a data subject. Other fines include USD 75,000 for breaching provisions related to the controller's obligation to cease processing personal data, and ensure that any processor does the same, once a data subject withdraws his consent. There is a USD 50,000 fine for failure to comply with the provisions of the Data Protection Law related to: (i) the requirements for legitimate and lawful processing of personal data; (ii) processing special categories of personal data; (iii) the data subject's consent to processing of personal data; and (iv) transferring personal data outside the DIFC.
Separately, the Commissioner also has the power to issue general fines each for an amount which he considers appropriate and proportionate depending on the seriousness of the contravention and the risk of actual harm to the data subject.
Imprisonment
Not applicable.
However criminal provisions of UAE legislation applicable to data protection continue to apply in the DIFC.
Compensation
Data subjects have a right to compensation where they have suffered damage by reason of any contravention by a controller or processor of any requirement of the Data Protection Law or the Regulations.
Other powers
The Commissioner has wide ranging powers to promote good practices and observance of the requirements of the Data Protection Law.
The Commissioner has the power to access any personal data processed by a controller or a processor and to collect or direct a controller or a processor to provide any information necessary for the performance by the Commissioner of its supervisory powers.
In addition to the imposition of fines, the Commissioner may: (i) issue directions, warnings or admonishments and make recommendations to a controller or processor; (ii) initiate proceedings for contraventions of the Data Protection Law; (iii) initiate claims for compensation on behalf of a data subject; and (iv) issue directions requiring a controller or processor to do or refrain from doing any act or thing and refrain from processing any personal data, in each case in the manner specified in the direction.
Practice
The Data Protection Law came into force on 1 July 2020. In public press releases the DIFC Authority indicated that those subject to the Data Protection Law would be given a grace period of three months in order to comply (making the effective date of the Data Protection Law 1 October 2020).
The only public enforcement action we are aware of resulted from the Dubai Financial Services Authority (“DFSA”) refusing the data access request of a data subject that it was investigating. This was - ostensibly - a blanket objection to any such request on the basis that such requests would be likely to prejudice the proper discharge of its regulatory functions and that complying with the request would divert financial and human resources from the investigation. They also argued that it would deter third parties from sharing confidential information with the DFSA in the future. The Commissioner found that the DFSA had breached the DIFC Data Protection Law and the DFSA appealed to the DIFC Court. The DIFC Court upheld the DFSA’s appeal. It came to this conclusion on the basis that the data subject’s principal and overriding purpose in issuing the request was to obtain information contained in documents stored by the DFSA that assisted her case in the proceedings. The DIFC Court held that since the DFSA was already under a duty to disclose all documents that assisted the data subject or undermined its own case and had in fact done so, diverting significant financial and human resources in order to comply with the request would be grossly disproportionate to the real interest of the data subject in seeking to enforce her data subject rights.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
The Data Protection Regulations released under the Data Protection Law came into force in September 2023 and apply to any person to whom the Data Protection Law applies. The Data Protection Regulations set out requirements in relation to any ‘Digital Communications and Services’. Digital Communications and Services refer to electronic communications and behavioural advertising, capturing direct marketing by e-mail and telephone to individual subscribers.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
None specifically relevant to cookies.
Regulatory guidance on the use of cookies
Not applicable.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
Controllers have obligations under the Data Protection Regulations to notify and provide information to data subjects whether personal data will be used for purposes of enabling Digital Communication and Services. Controllers must also ensure that privacy preferences are set by default such that no more than the minimum personal data necessary to deliver or receive the relevant product or services are obtained or collected.
Data subjects must also be provided the opportunity to refuse or opt out of receiving Data Communications and Services. Any controllers using personal data for Data Communication and Services must ensure and be able to prove clear affirmative and unambiguous consent from the data subject. Therefore, pre-ticked selection boxes, silence and/or inactivity does not constitute acceptable means of collecting consent for Digital Communication and Services.
Where previous consent has been obtained from the data subject in relation to Data Communication and Services, a controller may continue relying on that information or consent provided (i) the information has been obtained directly from the data subject, (ii) the personal data has been collected in the course of a sale or negotiation of a sale of the controller’s product or service; (iii) the Digital Communications and Services directed at the data subject must pertain to products or services of the controller similar to what the previous contact or consent was based, (iv) the data subject has the opportunity to unsubscribe, change preferences or refuse/opt out at any time, (v) appropriate and proportionate measures to assess ongoing validity of data subject consent is enacted by the controller, and (vi) reliable and straightforward means of withdrawing consent has been given.
Conditions for direct marketing by e-mail to corporate subscribers
The provisions of the Data Protection Law in respect of direct marketing only apply to natural persons.
Exemptions and other issues
The Data Protection Regulations can be found, here. The DIFC Authority has issued guidance on direct marketing and electronic communication, here. [Note: This was updated 8 July 2022.]
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The same rules apply as for e-mail.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
The provisions of the Data Protection Law in respect of direct marketing only apply to natural persons.
Exemptions and other issues
The Data Protection Regulations can be found, here. The DIFC Authority has issued guidance on direct marketing and electronic communication, here. [Note: This was updated 8 July 2022.]
_____________________________________________________________________ Top