Dubai International Financial Centre (DIFC) - Data Protection Law 2020

Who does Data Protection Law 2020 exempt? 

The DIFC’s privacy law does not apply to “natural persons processing personal data in the course of a purely personal or household activity with no connection to a commercial purpose,” or to “agreements between DIFC Bodies and third-country governments or international organizations that include appropriate safeguards for data subjects.

What are the requirements for businesses under Data Protection Law 2020?

Businesses operating within the DIFC must adhere to a range of requirements to ensure the protection of personal data and compliance with the Data Protection Law 2020. These requirements include:

• Lawful, Fair, and Transparent Processing: Businesses must process personal data in a manner that is lawful, fair, and transparent. This means informing data subjects about how their data is being used and ensuring that data processing is based on a valid legal basis, such as consent, contract performance, legal obligations, vital interests, public tasks, or legitimate interests.
• Specified, Explicit, and Legitimate Purposes: Personal data must be collected for specified, explicit, and legitimate purposes. It should not be processed further in any way that is incompatible with these purposes. Businesses need to clearly define the purpose of data collection at the time of collection.
• Data Accuracy and Up-to-Date Information: Businesses are responsible for ensuring that the personal data they hold is accurate and kept up-to-date. Inaccurate data must be corrected or deleted without undue delay. Regular reviews and updates of data should be conducted to maintain accuracy.
• Data Minimization: Only the data that is necessary for the specified purposes should be collected and processed. Businesses should avoid collecting excessive or irrelevant data and should implement policies to ensure data minimization.
• Security Measures: Appropriate technical and organizational measures must be implemented to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. This includes measures such as encryption, access controls, and regular security assessments.
• Data Protection Officer (DPO): Businesses conducting high-risk processing activities or as directed by the Data Protection Commissioner must appoint a Data Protection Officer (DPO). The DPO should have the expertise and resources to monitor compliance with the law, inform and advise the organization, and act as a point of contact with the Commissioner.
• Records of Processing Activities: Controllers and processors are required to maintain detailed records of their processing activities. These records should include information such as the purposes of processing, categories of data subjects and personal data, recipients of the data, and details of data transfers to third countries.
• Data Protection Impact Assessments (DPIAs): When initiating high-risk processing activities, businesses must conduct Data Protection Impact Assessments (DPIAs) to evaluate the potential impact on data subjects’ privacy and implement measures to mitigate risks. DPIAs should include a description of processing operations, an assessment of necessity and proportionality, and measures to address identified risks.
• Data Breach Notification: In the event of a personal data breach, businesses must notify the Data Protection Commissioner without undue delay and, where feasible, within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, the affected data subjects must also be informed without undue delay.
• Accountability and Governance: Businesses must demonstrate compliance with the Data Protection Law 2020 through robust governance and accountability measures. This includes implementing data protection policies, conducting regular training for staff, and maintaining documentation to prove compliance.
• Privacy by Design and Default: Data protection principles should be embedded into the design of business processes and systems from the outset. By default, only the minimum necessary amount of personal data should be processed, and access should be limited to those who need it for legitimate purposes.
• Third-Party and International Data Transfers: Transfers of personal data to third parties or outside the DIFC must be conducted in accordance with the law. Appropriate safeguards, such as standard contractual clauses or binding corporate rules, should be in place to ensure the protection of data during such transfers.
• Rights of Data Subjects: Businesses must facilitate the exercise of data subjects' rights, such as the right to access, rectification, erasure, restriction of processing, and data portability. Procedures should be in place to handle requests from data subjects efficiently and within the specified timeframes.

What are the data subject rights under Data Protection Law 2020?

Data Protection Law 2020 gives data subjects the following rights: 

• Right to withdraw consent 
• Right to access 
• Right to rectify inaccurate data
• Right to erase data (under certain conditions)
• Right to restrict processing 
• Right to object to processing based on legitimate interests or direct marketing
• Right to data portability

How to respond to consumer requests under Data Protection Law 2020?

Your organization has to respond to data subject requests (e.g., requests for access, rectification, erasure, restriction of processing, and data portability) without undue delay but no later than one month of receiving the request. Before responding to the request you have to implement a process that allows you to verify the identity of the individual making the request to ensure the protection of personal data. If you have reasonable doubts as to the identity of the data subject, you may ask the data subject to provide additional information sufficient to confirm

their identity and, in such cases, the time period for complying with the request does not begin until you’ve received information or evidence sufficient to reasonably identify that the person making the request is the data subject.

If the request is particularly complex or if you have received numerous requests from the data subject, you can extend the response time by an additional two months, however you have an obligation to send the data subject a notice informing them of the extension as well as the reasons for it. 

Requests for access, rectification, or erasure have to receive a response within one month, free of charge, and have to include the relevant information, based on the type of request of the three.

If you receive requests from a data subject that are manifestly unfounded or excessive, in particular because of their repetitive character, you can either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or you can refuse to act on the request, providing written confirmation to the data subject along with the reasons for the refusal.

In the case of a request for rectification or erasure, you have an obligation to communicate these requests to any third parties to whom the data has been disclosed.

Data Protection Law 2020 enforcement and penalties

The law is enforced by the Data Protection Commissioner, who has the authority to investigate compliance with the Data Protection Law 2020, issue directions and fines for non-compliance, require businesses to produce information and undergo audits, or impose administrative fines for violations. 

Penalties for violations of the DIFC’s data privacy law are as follows: 

• A fine of up to $50,000 for general non-compliance with the provisions of the law.
• Failure to comply with an order issued by the Commissioner: up to $100,000.
• Breach of the conditions for processing special categories of personal data: up to $75,000.
• Non-compliance with the requirements for transfers of personal data to third countries: up to $50,000.
• Failure to notify the Commissioner of a data breach: up to $50,000.
• Not appointing a Data Protection Officer (DPO) when required: up to $50,000.
• Not conducting a Data Protection Impact Assessment (DPIA) when necessary: up to $50,000.
• Breach of the requirements for processing children's data: up to $50,000.

In addition to these, individuals can submit complaints with the Commissioner if they believe their data protection rights have been violated in which case the Commissioner may mediate between the complainant and the data controller or processor, and can even seek compensation from controllers or processors for material or non-material damage resulting from violations of their data protection rights.

Data Subject Rights - GDPR vs. Data Protection Law 2020