Frequently Asked Questions

Please note that the information presented in the FAQs below is not meant to express an opinion on lawfulness of specific business activities, nor does it have the force of law, and is not intended to constitute legal advice. Please contact legal counsel for assistance in determining your data protection and privacy policies regarding these FAQs to ensure compliance with the applicable laws and regulations. The Commissioner does not make any warranty or assume any legal liability for the accuracy or completeness of this information as it may apply to the particular circumstances of an individual or a firm.

You may connect to the DP sub-menus containing content on the FAQs below as follows:

DP Website Navigation

The Basics

What is the purpose of the DIFC data protection legislation?
The DIFC data protection legislation is intended to protect the processing of Personal Data by a Controller or Processor or any Third Party related thereto. It also reinforces ethical data management through accountability requirements. It creates a legal and procedural framework which ensures that an individual’s Personal Data in the DIFC is treated fairly, lawfully and securely when it is stored, used or released.

The DIFC data protection legislation strikes a balance between a Data Subject’s right to control access to, and the use of, their Personal Data with a Controller’s need to collect and use Personal Data for legitimate or other specific legal purposes.
Who is responsible for administering and providing guidance regarding the DIFC Data Protection Law
The DIFC Commissioner of Data Protection is responsible for administering the DIFC Data Protection Law, which includes supervision, monitoring compliance with and enforcement of the law. The current Commissioner is Jacques Visser.

The Commissioner also provides guidance on several topics that are addressed in the DIFC Data Protection Law. Where the Commissioner has not provided guidance on a topic, regardless of how specific, the DIFC Data Protection Law is largely based on the UK GDPR, and as such the guidance provided by the UK Information Commissioner’s Office on most relevant topics would apply.
To which entities does the DIFC DP Law 2020 apply?
DP Law 2020 applies in the jurisdiction of the DIFC, to the Processing of Personal Data: (a) by automated means; and (b) other than by automated means where the Personal Data forms part of a Filing System or is intended to form part of a Filing System.

It applies to the Processing of Personal Data by a Controller or Processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not. It also applies to a Controller or Processor, regardless of its place of incorporation, that Processes Personal Data in the DIFC as part of stable arrangements, other than on an occasional basis. The important thing to understand for this application is the context of the Processing activity of the non-DIFC entity within the DIFC (i.e., and not in a Third Country), including transfers of Personal Data out of the DIFC.

Processing in the DIFC occurs when the means or personnel used to conduct the Processing activity are physically located in the DIFC, and Processing outside the DIFC is to be interpreted accordingly.

So even though an entity may be outside or not even registered or licensed in the DIFC, the DP Law 2020 will apply to Processing operations performed as a result of an engagement with a DIFC entity that is ongoing, contractual, or any other means of demonstrating that it is more than a simply one-off instance of processing. The non-DIFC entity ordinarily would not be required to notify the Commissioner or perform other administrative tasks like appointing a DPO, although it may do so if it wishes anyway, as best practice. The non-DIFC entity may also be subject to liabilities such as fines or third party claims.

DP Law 2020 does not apply to the Processing of Personal Data by natural persons in the course of a purely personal or household activity that has no connection to a commercial purpose.

Please see Article 6 of the DP Law 2020 for further information.
What is Personal Data?
Personal Data is any information relating to an identified natural person or Identifiable Natural Person. For example, Personal Data may include an individual’s name, age, home address, income, marital status, education, or employment information, or any combination of these things. If one element of information does not identify someone on its own, such as the name “John Smith”, other elements should ordinarily contribute to identifying a person. In accordance with DIFC law, a legal entity or organization does not have personal data.
What is Special Category Data?
Special Category Data is Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person. General information like names and addresses do not traditionally constitute Special Category Data. Any possible exceptions should be discussed with the Commissioner of Data Protection.
Who is a Controller?
Who is a Processor?
Who is a Data Subject?
What is a Third Party?
Who is a recipient of Personal Data?
What is Processing?
Processing is any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on Personal Data by:

a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or

law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.

Is there a fee for notification?

Yes. Among other purposes, notification fees support small and medium businesses having access to useful information and templates avaiable on the DIFC Data Protection webiste. Please see below for a schedule of notification fees:

Upon Receipt By The Commissioner Of Data Protection of:	Category I	Category II	Category III
Registration(Notification)	$1,250	$750	$250
Annual renewal of the registration	$500	$250	$100
Amendments to the registrable particulars of the notification	$100	$50	$10
Notification to inform the Commissioner of Data Protection of not Processing Personal Data	Nil	Nil	Nil
Amendments to contact details	Nil	Nil	Nil

Category I includes entities regulated by the DFSA
Category II includes DFSA non-regulated entities, except retail; and
Category III includes retail entities.

Accountability

What is accountability?
Accountability is captured in Articles 14 to 22 of the DP Law 2020. It is, in a nutshell, a means of showing transparency and proper management and handling of a very important asset: your Personal Data.

It includes taking such measures as appointing a Data Protection Officer or DPO who is someone that independently manages accountability and DP compliance within a company. While a DPO is not mandatory to appoint, unless the entity is directed to by the Commissioner or it engages in High Risk Processing, appointing a DPO is always worth considering to embed privacy and accountability principles in the business culture. Accountability also includes carrying out impact assessments to understand the risks (security, sharing, access, etc) to your Personal Data.
How does a Controller comply with the core provisions of the Data Protection Law?
Dealing With The Data Subject

A Controller must securely keep any Personal Data it collects and process it fairly and lawfully. At or before the time Personal Data is collected from a Data Subject, a Controller should take reasonable steps to ensure that the Data Subject is aware of:

the identity of the Controller and how to contact it;

the fact that the Data Subject is able to gain access to their Personal Data;

the purposes for which their Personal Data is collected;

other persons to whom the Controller usually discloses data of that kind; and

the main consequence for the Data Subject if all or part of the data is not
provided.

If a Controller intends to Process the Personal Data collected from a Data Subject, it is suggested that when the Controller collects that Personal Data, the Data Controller obtain the Data Subject’s written consent to such Processing at the same time.

Initial Internal Procedures

The Controller should consider the following for all Personal Data:

purpose for which it holds Personal Data;

number of individuals identified in the Personal Data it holds;

nature of the Personal Data;

length of time it holds Personal Data;

procedure for individuals identified by the Personal Data it holds to obtain access to their Personal Data; and

the possible consequences for individuals identified by the Personal Data it holds as a result of the way it holds, erases or Processes Personal Data.

Ongoing Internal Procedure

The Controller should consider the following matters:

is there a record of when the Personal Data it holds was recorded or last updated?

are all those involved with the collection and Processing of Personal Data, including people to whom they are disclosed as well as employees of the Data Controller, aware that the Personal Data may not necessarily be up to date and accurate?

are steps taken to update the Personal Data, for example, by checking back at intervals with the original source or with the Data Subject? If so, how effective are these steps?

if the Personal Data is out of date is it likely to cause damage or distress to the Data
Subject?

Transfers

Before Personal Data is transferred outside the DIFC the Controller should consider the following matters:

has the Data Subject unambiguously consented to the proposed transfer?

is the transfer necessary for the performance of a contract between the Data Subject and the Controller?

is the transfer necessary or legally required on grounds important in the interests of the DIFC, or for the establishment, exercise or defence of legal claims?

is the transfer necessary in order to protect the vital interests of the Data Subject?

is the transfer intended to provide information to the public which is open to consultation?

is the transfer necessary to comply with any legal obligation?

is the transfer necessary to uphold the legitimate interests of the Controller recognised in the international financial markets?

is the transfer necessary to comply with auditing, accounting or anti-money laundering obligations that apply to a Controller?

Under the DP Law 2020, Processors (and where applicable, Sub-processors) have certain compliance obligations and notification requirements as well. Please review the DP Law 2020 particularly at Articles 14 to 22 and Article 24.
Must a data protection officer (DPO) be appointed by all DIFC licensed entities or DIFC Bodies?
Appointing a DPO is not always required, according to Article 16. It is mandatory to appoint someone to this role in only 3 specific instances, the most common being where an entity engages in High Risk Processing or when the Commissioner directs an entity to do so. Please review Articles 16 to 18 of the DP Law 2020 for further details about the role, skills and task of the DPO.

DIFC Bodies MUST appoint a DPO in accordance with the DP Law 2020. As such, DIFC Authority has appointed a DPO, as required by Article 16(2)(a). She is responsible for investigating issues, questions or concerns about Personal Data processing by DIFC Authority or its affiliates, and where necessary, reporting any breaches to the Commissioner's Office, which remains independent of the DPO responsibilities in order to make an objective assessment about whether, under the circumstances, DIFC Authority or its affiliates complied with the DP Law 2020 or Regulations.

The DIFCA DPO may be contacted at dpo@difc.ae or by calling 04 362 2222. The DPO mailbox is monitored and you will ordinarily receive a reply shortly after your email is received. The process thereafter will largely depend on the circumstances of the query, but if an investigation is warranted, the DPO may ask for further information, documents, identification, or other materials in order to provide a sufficient response to the query or reason for contacting the DPO.

You may also write to the DIFC DPO at the DIFC offices:

DIFC Authority - DPO

PO Box 74777

DIFC, Dubai, UAE
When should I submit the Annual Assessment for compliance with Article 19 of the DP Law 2020, and in what format?
Upon the enforcement of the DIFC Data Protection Law, DIFC registered entities with an appointed Data Protection Officer (DPO) will be required to submit an annual Assessment as per Article 19 of the DIFC Data Protection Law, DIFC Law No. 5 of 2020

The first submission of the Annual Assessment (if required in accordance with Article 19, i.e., where a DPO must be appointed) will be made on the first license renewal date after July 1, 2021.

Example:

If your license renewal date is April 3, 2021, your first Annual Assessment filing date will be April 3, 2022.

If your license renewal date is October 3, 2021, your first Annual Assessment filing date will be October 3, 2021.

Please note that this form will be made available in an electronic format by the entity’s first Annual Assessment due date and will be submitted on the DIFC Client Portal. Submissions by email will not accepted.

Please review DPO Annual Assessment Guidance for further support, information and FAQs
When is a permit required?

Individuals' Rights & Redress

What must a Controller or Processor do when it wants to deal with an individual's Personal Data?
The Controller must notify the Commissioner of Data Protection when it is:

Processing Personal Data, Special Category Data; and/or transferring Personal Data outside the DIFC to a jurisdiction that does not have adequate levels of data protection. It must also notify of activities and operations, accountability measures and data breaches (if any).

The notification to the Commissioner of Data Protection must be updated annually.

If during the year, the manner of Processing is changed, a notification reflecting this must be submitted to the Commissioner of Data Protection.

Notification by a Controller is carried out by completing a notification available in Client Portal and sending it to the Commissioner of Data Protection at the DIFC.

Also, a privacy notice should be published wherever possible. Please have a look at the templates available to help you put together a basic online privacy notice.

Controller and Processor obligations guidance is also available at this link.
What determines whether data relates to an individual?
Whether information relates to a particular individual will be a question of fact in each case. If a connection can be made between the information and an individual, then the information is Personal Data. Personal Data can relate to more than one individual. For example, information concerning a joint bank account relates to both account holders and therefore is the Personal Data of each account holder and would be protected as such.
What are my rights as a Data Subject regarding Processing of my Personal Data and lodging complaints?
The DIFC Data Protection legislation gives certain rights to individuals (i.e., Data Subjects) concerning their Personal Data and Sensitive Personal Data. Generally, a Data Subject has the right to access any Personal Data that is kept about them, as well as to object to processing, rectify errors, restrict processing, to transport it to another Controller upon request, and to be free from discrimination when exercising any available rights. Individuals may also request cessation of processing and may withdraw consent. Please go to this link for guidance and this link for a table of rights and remedies individuals are entitled to under DIFC DP Law 2020.

If the Personal Data Processed is inaccurate, then the Data Subject can request the Controller to take action to rectify, block or destroy the inaccurate data. However, there are certain circumstances, or exemptions, where it is legal for a Controller not to have to notify a Data Subject that Personal Data is being Processed, for example, where Personal Data is being released to a legitimate authority to comply with anti money laundering obligations.

A Data Subject can object on reasonable grounds to the Processing of their Personal Data, and request their Personal Data not be disclosed to third parties. This may include circumstances where an individual requests a Controller to cease Processing Personal Data for the purposes of direct marketing. If the Controller objects to the request, the Data Subject may file a complaint with the Commissioner of Data Protection at DIFC who may investigate further and / or refer the matter to mediation. Please see Part 9 of the DP Law 2020 for an overview of available remedies and Section 6 of the DIFC Data Protection Regulations for a general description of this process, as well as further details below.

COMPLAINTS AND MEDIATION

In accordance with Article 60 of the DP Law 2020, the DIFC Commissioner of Data Protection may inspect an entity subject to the DP Law 2020 or may investigate or mediate complaints from the public about interferences with people's privacy that contravene the DP Law 2020. While investigating, we look for opportunities to resolve the issues in a way that’s acceptable to both sides of the dispute.

We are impartial, do not take sides, and are independent of the DIFC governing bodies in determining whether to investigate or mediate, the outcome, and the recommendations / directions provided (if any).

Deciding to investigate or mediate
When we receive your complaint, we will decide whether a full investigation is necessary. We will talk to you and sometimes the relevant entity you’re complaining about to get both sides of the story.
We may decide not to continue to investigate your complaint. We may not investigate if:

the issue isn’t covered by the DP Law 2020

the complaint is about a personal or family dispute, or not covered by the DP Law 2020

there’s a better way of dealing with the matter first that has not been employed

there’s another legally required complaints procedure that needs to be followed first

the complaint is about a breach of someone else’s privacy.
You’ll have the chance to comment or raise concerns before we stop an investigation.

Investigating the complaint and mediation
If we decide to investigate, we’ll determine which principles of the DP Law 2020 may have been breached and how. We will notify you and the relevant entity that we are investigating your complaint.
We conduct investigations by talking to the parties in person and by telephone, email, and letter. We may ask you to meet with the relevant entity as well to discuss the complaint.
We may ask you and the relevant entity to provide us with documents and information relevant to the complaint, but we will not pass on any correspondence between the parties, unless permitted or requested by the relevant parties to do so. The parties need to be able to speak to us openly for our investigations to be effective.
We close most investigations within six months but occasionally they take longer depending on the individual circumstances.

Settling the complaint
Our focus is on resolving disputes and where appropriate we will try to facilitate the settlement of a complaint with or without investigating it. Most settlements are apologies, a release of information, or some other similar action, sometimes issued by the Commissioner in the form of recommendations or a direction.
In accordance with Article 64 of the DP Law 2020, a Data Subject may apply to the Court of compensation. Any Controller involved in Processing that infringes the DP Law 2020 shall be liable for the damage caused. A Processor shall be liable for the damage caused by Processing only where it has not complied with obligations of the DP Law 2020 specifically directed to Processors or where it has acted outside or contrary to the lawful instructions of the Controller.
If we cannot settle the complaint and we decide not to investigate further, we will advise the parties of our view and close our investigation file.

Other available remedies
In accordance with Article 63 of the DP Law 2020, if you disagree with a finding or direction by the Commissioner of contravention (or of no contravention) of the DP Law 2020, you may appeal against the finding to the DIFC Courts within thirty (30) days.
The DIFC Courts may make any orders that it may think just and appropriate in the circumstances, including remedies for damages or compensation, penalties and imposition of administrative fines and findings of fact or alternative findings of fact in relation to whether or not the Law has been contravened.

Contact us
If you want to know more about the complaints process, the DP Law 2020, or our work in general, you can contact us.
What about expressions of opinion?

Data Export & Sharing

Where can I find information about international data transfers and what I have to do to comply with Articles 26 and 27 of DP Law 2020?
Where can I find information about public authority data sharing requests and what I have to do to comply with Article 28 of DP Law 2020?
Per Article 27, if our Group of companies has Binding Corporate Rules (BCRs) approved by the EU or another government body, how should I submit them for review to the DP Commissioner?
Per Article 27(2)(c), will using the EU Model Clauses or UK IDTA, or even another country's similar clauses, for data transfers cover my data transfers outside the DIFC to a non-adequate jurisdiction?
The DIFC Standard DP Clauses have been adapted from the EU Standard Contractual Clauses (the SCCs, aka Model Clauses) as well as the UK IDTA. Please review this table available on the Data Export & Sharing page for a view of how the DIFC SCCs were developed. As stated in the Data Export and Sharing Handbook, the transfer from DIFC to a non-DIFC jurisdiction must be covered by documenting it in the relevant third country SCCs if you choose not to use the DIFC SCCs. So if there is a way that can be addressed in any additional text in the appendices, for example (i.e., also covers transfers from DIFC to non-DIFC jurisdictions) or clarity is provided on this point in some way, that may suffice. If you have any questions please contact commissioner@dp.difc.ae.

https://www.difc.ae/business/operating/data-protection/guidance/
What is the DIFC Ethical Data Management Risk Index (EDMRI) and the EDMRI+?
The EDMRI and EDMRI+ are tools (guidance and FAQs available here), which you can use to understand what the risks are when transfering personal data outside of the DIFC, based on the propensity for compliance by the third party importer that you're sending the data to. You can use the EDMRI+ to conduct enhanced due diligence where the overall privacy environment presents more risks than usual, or simply as part of your general compliance regime.

The EDMRI will be expanded over time to include other risk assessment criteria and methodology / rationale, as well as to assess more privacy environments.
Where can I find more information and FAQs about the DIFC Ethical Data Management Risk Index (EDMRI)?

Personal Data Breaches

Must Personal Data breaches be reported to the Commissioner, the Data Subject or both?
It depends. Articles 41 and 42 of DP Law 2020 address personal data breaches. Under Article 41, you must assess whether the breach compromises an individual's confidentiality, security or privacy, and if so, as soon as practicable in the circumstances, notify the breach to the Commissioner.

Article 42 requires, where you have assessed that a breach is likely to result in a high risk to the security or rights of an individuals, then it must be communicated to the affected individual as soon as practicable in the circumstances. If there is an immediate risk of damage to the individual, please promptly communicate with them.

You may use the breach notification assessment tool provided by the Commissioner's Office to help you make this judgement call. All assessment tools are available here.
Is there a time limit for notification of a breach, like in other data protection laws?
How do I notify a Personal Data breach?

Supervision & Enforcement

How does the Commissioner's Office decide which companies to inspect?
How many inspections does the Commissioner's Office conduct each year?
Is information about fines and other enforcement action provided on the DIFC website?