Data Protected - Dubai International Finance Centre

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The DIFC Data Protection Law 2007 (DIFC Law No. 1 of 2007) (the “Data Protection Law”) and the DIFC Data Protection Regulations (the “Regulations”).

Entry into force

The DIFC Data Protection Law 2007 (DIFC Law No. 1 of 2007) was issued on 6 January 2007. The DIFC Data Protection Regulations were issued by the DIFC Authority Board on 15 February 2007.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Dubai International Financial Centre Authority (the “DIFC Authority”)

Level 14, The Gate
PO Box 74777
Dubai
United Arab Emirates

www.difc.ae/laws-regulations/data-protection

The DIFC Authority is responsible for implementing regulations related to the application of the Data Protection Law. The President of the DIFC is charged with appointing the Commissioner for Data Protection (the “Commissioner”) to administer the Data Protection Law.

Notification or registration scheme and timing

The Data Protection Law does not generally require notification in respect of the processing of personal data.

However, a controller must notify the Commissioner where any personal data processing operation or set of operations occurs, involving: (i) the processing of sensitive personal data; or (ii) the transfer of personal data to a recipient outside the DIFC which is not subject to a data protection regime which ensures an “adequate” level of protection (see Restrictions on transfers to third countries, below). A controller must also notify the Commissioner of any changes related to previously notifiable particulars. Notification by a controller is carried out by completing a notification form and sending it to the Commissioner at the DIFC Authority.

Exemptions to notification

No.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The Data Protection Law applies in the jurisdiction of the Dubai International Financial Centre (the “DIFC”) and is therefore applicable to all DIFC entities, both regulated and non-regulated by the DFSA.

Is there a concept of a controller and a processor?

The Data Protection Law applies to the activities of controllers and processors, as well as persons acting under controllers and processors.

Are both manual and electronic records subject to data protection legislation?

Yes.

Are there any national derogations?

The Data Protection Law does not provide for general national derogations, however the DIFC Authority’s Board of Directors is permitted to make regulations exempting a controller from compliance with the Data Protection LawFurthermore, specified provisions of the Data Protection Law do not apply to the Dubai Financial Services Authority, the DIFC Authority and the DIFC Registrar of Companies where the application of those provision would be likely to prejudice the proper discharge by those entities of their powers and functions under any laws administered by them.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The Data Protection Law defines personal data as any data relating to an identifiable natural person.  An identifiable natural person is a natural living person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity.

Is information about legal entities personal data?

The Data Protection Law only applies to personal data which relates to an identifiable natural person, and, as such, information about legal entities does not qualify as personal data. The Data Protection Law may apply to any natural person acting as a sole trader or as a member of a partnership.

What are the rules for processing personal data?

Personal data may only be processed if: (i) the data subject has given his written consent to the processing of that personal data; (ii) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (iii) processing is necessary for compliance with any legal obligation to which the controller is subject; (iv) processing is necessary for the performance of a task carried out in the interests of the DIFC, or in the exercise of the DIFC Authority, the Dubai Financial Services Authority, the DIFC Court or the DIFC Registrar of Companies’ functions, or powers vested in the controller or in a third party to whom the personal data is disclosed; or (v) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the personal data is disclosed, except where such interests are overridden by compelling legitimate interests of the data subject.

Are there any formalities to obtain consent to process personal data?

Consent, if required, must be given in writing.

Are there any special rules when processing personal data about children?

The Data Protection Law does not impose any additional rules that are applicable when processing personal data relating to children.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Sensitive personal data is personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade union membership and health or sex life.

Are there additional rules for processing sensitive personal data?

Sensitive personal data should not be processed unless conditions substantially similar to the conditions for processing sensitive personal data, in addition to, certain other conditions are satisfied.

These other conditions include where: (i) processing is necessary in order for the controller  to carry out its obligations or rights or comply with any regulatory or legal obligation; (ii) processing is necessary to uphold the legitimate interests of the controller recognised in the international financial markets, provided that such is pursued in accordance with international financial standards and except where such interests are overridden by the legitimate interests of the data subject; (iii) processing is necessary to comply with any regulatory requirements, auditing, accounting, anti-money laundering or counter terrorist financing obligations or obligations relating to the prevention or detection of any crime that apply to a controller; (iv) processing is required to protect members of the public against financial loss due to dishonesty or other seriously improper conduct by persons concerned in the provision of certain financial services; or (v) processing is authorised in writing by the Commissioner.

Are there additional rules for processing information about criminal offences?

 

The rules are the same as for sensitive personal data.

 

Are there any formalities to obtain consent to process sensitive personal data?

Consent, if required, must be given in writing.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

There is no obligation to appoint a data protection officer.

What are the duties of a data protection officer?

Not applicable.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

There is no general accountability obligation.

Are privacy impact assessments mandatory?

No.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Upon commencing collection of personal data in respect of a data subject, controllers must provide data subjects with a privacy notice which should include, amongst other things: (i) the identity of the controller; (ii) the purposes of the processing for which the data are intended; (iii) information detailing the recipients or categories of recipients of the personal data; (iv) whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply; (v) the existence of the right of access to and the right to rectify the personal data; and (vi) whether the personal data will be used for direct marketing purposes.

Where personal data has been obtained from a party other than the data subject, the controller must at the time of processing the personal data or if a disclosure to a third party is envisaged, provide data subjects with a privacy notice setting out the information detailed above.

Rights to access information

Data subjects have the right to request; (i) confirmation as to whether data relating to a data subject are being processed; (ii) information as to the purposes of the processing, the categories of data, and the recipients to whom the data are disclosed; and (iii) communication of the data undergoing processing and of any available information as to their source.

Rights to data portability

There is no express right to data portability, although a data subject  does have the right to receive data in an “intelligible form”.

Right to be forgotten

A data subject has the right to request the erasure of any personal data relating to him where the processing does not comply with the provisions of the Data Protection Law.

Objection to direct marketing and profiling

A data subject has the right to be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing. A data subject must also be expressly given the right to object to such disclosures or uses.

Other rights

Data subjects may request the rectification, erasure or blocking of personal data where the processing does not comply with the provisions of the Data Protection Law.

A data subject has the right to object at any time on reasonable grounds relating to his particular situation to the processing of personal data relating to him. Where there is a justified objection, the relevant personal data must be removed from the processing operation that was being conducted by the controller.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

The Data Protection Law requires controllers to implement appropriate technical and organisational measures to protect personal data against wilful, negligent, accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of processing.

Specific rules governing processing by third party agents (processors)

The Data Protection Law states that the controller must, where processing is carried out on its behalf, choose a processor which provides sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out and must ensure compliance with those measures. There is no obligation to have a written contract with such processors.

Notice of breach laws

In the event of an unauthorised intrusion, either physical, electronic or otherwise, to any personal data database, the controller or the processor carrying out the controller’s function at the time of the intrusion must inform the Commissioner of the incident as soon as reasonably practicable. There is no obligation to notify the data subjects.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The Law contains restrictions on transborder dataflows. Transborder dataflows may take place where there is an adequate level of protection for the personal data, ensured by the laws and regulations applicable to the recipient. For this purpose, a jurisdiction has an adequate level of protection where that jurisdiction is listed as an acceptable jurisdiction under the Regulations or any other jurisdiction approved by the Commissioner. A list of “adequate” data protection regimes is available on the DIFC Authority’s website.

Where there is an inadequate level of protection, transborder dataflows may only occur where: (i) the data subject has given his written approval to the proposed transfer; (ii) the transfer is necessary for the performance of a contract with the data subject or a contract concluded in the interests of the data subject; (iii) the transfer is necessary or legally required on grounds important in the interests of the DIFC, or for the establishment, exercise or defence of legal claims; (iv) the transfer is necessary in order to protect the vital interests of the data subject; (v) the transfer is made from a public register; (vi) the transfer is necessary for compliance with any legal obligation to which the controller is subject or the transfer is made at the request of a regulator, the police or another government agency; (vii) the transfer is necessary to uphold the legitimate interests of the controller recognised in the international financial markets except where such interests are overridden by legitimate interests of the data subject; or (viii) the transfer is necessary to comply with any regulatory requirements, auditing, accounting, anti-money laundering or counter terrorist financing obligations or obligations relating to prevention or detection of any crime that apply to a controller.

A transfer may also take place where the Commissioner has authorised the transfer and the controller applies adequate safeguards with respect to the protection of personal data.

Notification and approval of national regulator (including notification of use of Model Contracts)

A controller must notify the Commissioner where any personal data processing operations involve the transfer of personal data to a recipient outside the DIFC which is not subject to laws and regulations which ensure an adequate level of protection.

Use of binding corporate rules

No.

_____________________________________________________________________ Top

Enforcement

Fines

The Commissioner has the power to issue fines. Controllers may also be liable for payment of compensation.

The current schedule of fines lists the maximum fine as USD 25,000 for failure to register with the Commissioner. Other fines include USD 20,000 for transferring personal data outside the DIFC without obtaining a required permit, USD 15,000 for failure to comply with the requirements for legitimate processing of data and USD 10,000 for processing sensitive personal data without obtaining a required permit.

Imprisonment

Not applicable.

Compensation

Data subjects have a right to compensation where they have suffered damage by reason of any contravention by a controller of any requirement of the Data Protection Law or the Regulations.

Other powers

The Commissioner has wide ranging powers to promote good practices and observance of the requirements of the Data Protection Law.

The Commission has the power to access any personal data processed by a controller and to collect or direct a controller to provide any information necessary for the performance by the Commission of its supervisory powers.

In addition to the imposition of fines, the Commissioner may (i) issue directions, warnings or admonishments and make recommendations to controllers; (ii) initiate proceedings for contraventions of the Data Protection Law; (iii) initiate claims for compensation on behalf of a data subject; and (iv) issue directions requiring a controller to do or refrain from doing any act or thing and refrain from processing any personal data, in each case in the manner specified in the direction.

Practice

We are not aware of any enforcement actions over the last 12 months.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

None specifically relevant to ePrivacy issues.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

None specifically relevant to cookies.

Regulatory guidance on the use of cookies

Not applicable.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Data Protection Law does not specifically set out rules in relation to the use of electronic direct marketing. However, in accordance with certain general provisions of the Data Protection Law, the data subject has the right to be informed before their personal data is used on their behalf and may object to the disclosure or use of their personal data for direct marketing purposes.

Conditions for direct marketing by e-mail to corporate subscribers

The provisions of the Data Protection Law in respect of direct marketing only apply to natural persons.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The Data Protection Law does not specifically set out rules in relation to direct marketing by telephone. However, in accordance with certain general provisions of the Data Protection Law, the data subject has the right to be informed before their personal data is used on their behalf and may object to the disclosure or use of their personal data for direct marketing purposes.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The provisions of the Data Protection Law in respect of direct marketing only apply to natural persons.

Exemptions and other issues

Not applicable.

_____________________________________________________________________ Top