<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Dubai International Financial Centre (DIFC) - Data Protection Law 2020

The personal data protection law in the DIFC (Dubai International Financial Centre)

Book a Demo

What is Data Protection Law 2020?

The Data Protection Law 2020 is a data privacy regulation established by the Dubai International Financial Centre (DIFC). The Law went into effect on July 1, 2020 and it aims to protect personal data and ensure it is processed lawfully, fairly, and transparently as well as to protect individuals' fundamental rights regarding their personal data while allowing the free movement of such data. It bears many similarities to the GDPR, differing in geographic scope, specific requirements, and enforcement mechanisms.

The Dubai International Financial Centre (DIFC) is a special economic zone in Dubai, United Arab Emirates, established to promote financial services and economic growth in the region, and has its own legal system and courts, which operate independently from the UAE's wider legal framework, which means that Data Protection Law 2020 applies here while Federal Decree Law No. 45 applies to the rest of the United Arab Emirates. 

How does Data Protection Law 2020 define Personal Information and what are other key definitions?

Under the data privacy law of the Dubai International Financial Centre personal information is defined as “any information referring to an identified or Identifiable Natural Person.” The law also offers a definition of ‘sensitive personal data’ which it calls “Special Categories of Personal Data Personal Data,” namely, data “revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.” 

A ‘data subject’ here is called an ‘Identifiable Natural Person’ which is understood to mean “a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.”

Same as with other privacy laws, such as the GDPR, Data Protection Law 2020 offers a definition of ‘data controller’ who is understood to be “any person who alone or jointly with others determines the purposes and means of the processing of personal data,” and ‘data processor,’ defined as “any person who processes personal data on behalf of a controller.”

There is no definition for the sale of personal data, however a relevant definition is that of “high risk processing activities” which is defined as “ processing of personal data where one or more of the following applies:

  • processing that includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a data subject or renders it more difficult for a data subject to exercise his rights;
  • a considerable amount of personal data will be processed (including staff and contractor personal data) and where such processing is likely to result in a high risk to the data subject, including due to the sensitivity of the personal data or risks relating to the security, integrity or privacy of the personal data;
  • the processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or
  • a material amount of special categories of personal data is to be processed.”

This definition is relevant as it establishes the types of data processing activities that require impact assessments. 

Who does Data Protection Law 2020 apply to?

Data Protection Law 2020 applies to any entity incorporated in the DIFC that processes personal data, regardless of whether the processing takes place within the DIFC or not, and to any entity, regardless of its place of incorporation, that processes personal data within the DIFC as part of stable arrangements, other than on an occasional basis.

Who does Data Protection Law 2020 exempt? 

The DIFC’s privacy law does not apply to “natural persons processing personal data in the course of a purely personal or household activity with no connection to a commercial purpose,” or to “agreements between DIFC Bodies and third-country governments or international organizations that include appropriate safeguards for data subjects.

What are the requirements for businesses under Data Protection Law 2020?

Businesses operating within the DIFC must adhere to a range of requirements to ensure the protection of personal data and compliance with the Data Protection Law 2020. These requirements include:

  • Lawful, Fair, and Transparent Processing: Businesses must process personal data in a manner that is lawful, fair, and transparent. This means informing data subjects about how their data is being used and ensuring that data processing is based on a valid legal basis, such as consent, contract performance, legal obligations, vital interests, public tasks, or legitimate interests.
  • Specified, Explicit, and Legitimate Purposes: Personal data must be collected for specified, explicit, and legitimate purposes. It should not be processed further in any way that is incompatible with these purposes. Businesses need to clearly define the purpose of data collection at the time of collection.
  • Data Accuracy and Up-to-Date Information: Businesses are responsible for ensuring that the personal data they hold is accurate and kept up-to-date. Inaccurate data must be corrected or deleted without undue delay. Regular reviews and updates of data should be conducted to maintain accuracy.
  • Data Minimization: Only the data that is necessary for the specified purposes should be collected and processed. Businesses should avoid collecting excessive or irrelevant data and should implement policies to ensure data minimization.
  • Security Measures: Appropriate technical and organizational measures must be implemented to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. This includes measures such as encryption, access controls, and regular security assessments.
  • Data Protection Officer (DPO): Businesses conducting high-risk processing activities or as directed by the Data Protection Commissioner must appoint a Data Protection Officer (DPO). The DPO should have the expertise and resources to monitor compliance with the law, inform and advise the organization, and act as a point of contact with the Commissioner.
  • Records of Processing Activities: Controllers and processors are required to maintain detailed records of their processing activities. These records should include information such as the purposes of processing, categories of data subjects and personal data, recipients of the data, and details of data transfers to third countries.
  • Data Protection Impact Assessments (DPIAs): When initiating high-risk processing activities, businesses must conduct Data Protection Impact Assessments (DPIAs) to evaluate the potential impact on data subjects’ privacy and implement measures to mitigate risks. DPIAs should include a description of processing operations, an assessment of necessity and proportionality, and measures to address identified risks.
  • Data Breach Notification: In the event of a personal data breach, businesses must notify the Data Protection Commissioner without undue delay and, where feasible, within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, the affected data subjects must also be informed without undue delay.
  • Accountability and Governance: Businesses must demonstrate compliance with the Data Protection Law 2020 through robust governance and accountability measures. This includes implementing data protection policies, conducting regular training for staff, and maintaining documentation to prove compliance.
  • Privacy by Design and Default: Data protection principles should be embedded into the design of business processes and systems from the outset. By default, only the minimum necessary amount of personal data should be processed, and access should be limited to those who need it for legitimate purposes.
  • Third-Party and International Data Transfers: Transfers of personal data to third parties or outside the DIFC must be conducted in accordance with the law. Appropriate safeguards, such as standard contractual clauses or binding corporate rules, should be in place to ensure the protection of data during such transfers.
  • Rights of Data Subjects: Businesses must facilitate the exercise of data subjects' rights, such as the right to access, rectification, erasure, restriction of processing, and data portability. Procedures should be in place to handle requests from data subjects efficiently and within the specified timeframes.

Data Protection Law 2020 compliant website with Clym

Book a Demo

What are the data subject rights under Data Protection Law 2020?

Data Protection Law 2020 gives data subjects the following rights: 

  • Right to withdraw consent 
  • Right to access 
  • Right to rectify inaccurate data
  • Right to erase data (under certain conditions)
  • Right to restrict processing 
  • Right to object to processing based on legitimate interests or direct marketing
  • Right to data portability

How to respond to consumer requests under Data Protection Law 2020?

Your organization has to respond to data subject requests (e.g., requests for access, rectification, erasure, restriction of processing, and data portability) without undue delay but no later than one month of receiving the request. Before responding to the request you have to implement a process that allows you to verify the identity of the individual making the request to ensure the protection of personal data. If you have reasonable doubts as to the identity of the data subject, you may ask the data subject to provide additional information sufficient to confirm

their identity and, in such cases, the time period for complying with the request does not begin until you’ve received information or evidence sufficient to reasonably identify that the person making the request is the data subject.

If the request is particularly complex or if you have received numerous requests from the data subject, you can extend the response time by an additional two months, however you have an obligation to send the data subject a notice informing them of the extension as well as the reasons for it. 

Requests for access, rectification, or erasure have to receive a response within one month, free of charge, and have to include the relevant information, based on the type of request of the three.

If you receive requests from a data subject that are manifestly unfounded or excessive, in particular because of their repetitive character, you can either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or you can refuse to act on the request, providing written confirmation to the data subject along with the reasons for the refusal.

In the case of a request for rectification or erasure, you have an obligation to communicate these requests to any third parties to whom the data has been disclosed.

 

Data Protection Law 2020 enforcement and penalties

The law is enforced by the Data Protection Commissioner, who has the authority to investigate compliance with the Data Protection Law 2020, issue directions and fines for non-compliance, require businesses to produce information and undergo audits, or impose administrative fines for violations. 

Penalties for violations of the DIFC’s data privacy law are as follows: 

  • A fine of up to $50,000 for general non-compliance with the provisions of the law.
  • Failure to comply with an order issued by the Commissioner: up to $100,000.
  • Breach of the conditions for processing special categories of personal data: up to $75,000.
  • Non-compliance with the requirements for transfers of personal data to third countries: up to $50,000.
  • Failure to notify the Commissioner of a data breach: up to $50,000.
  • Not appointing a Data Protection Officer (DPO) when required: up to $50,000.
  • Not conducting a Data Protection Impact Assessment (DPIA) when necessary: up to $50,000.
  • Breach of the requirements for processing children's data: up to $50,000.

In addition to these, individuals can submit complaints with the Commissioner if they believe their data protection rights have been violated in which case the Commissioner may mediate between the complainant and the data controller or processor, and can even seek compensation from controllers or processors for material or non-material damage resulting from violations of their data protection rights.

Data Subject Rights - GDPR vs. Data Protection Law 2020

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

FAQs about Data Protection Law 2020

What does Data Protection Law 2020 apply to?

Data Protection Law 2020 applies to any entity incorporated in the DIFC that processes personal data, regardless of whether the processing takes place within the DIFC or not, and to any entity, regardless of its place of incorporation, that processes personal data within the DIFC as part of stable arrangements, other than on an occasional basis.




What is exempt under Data Protection Law 2020?

The DIFC’s privacy law does not apply to “natural persons processing personal data in the course of a purely personal or household activity with no connection to a commercial purpose,” or to “agreements between DIFC Bodies and third-country governments or international organizations that include appropriate safeguards for data subjects.




What data subject rights does Data Protection Law 2020 grant?

Data Protection Law 2020 gives data subjects the following rights: 

  • Right to withdraw consent 
  • Right to access 
  • Right to rectify inaccurate data
  • Right to erase data (under certain conditions)
  • Right to restrict processing 
  • Right to object to processing based on legitimate interests or direct marketing
  • Right to data portability
What are the penalties for non-compliance with the Data Protection Law 2020?

Penalties for violations of the DIFC’s data privacy law are as follows: 

  • A fine of up to $50,000 for general non-compliance with the provisions of the law.
  • Failure to comply with an order issued by the Commissioner: up to $100,000.
  • Breach of the conditions for processing special categories of personal data: up to $75,000.
  • Non-compliance with the requirements for transfers of personal data to third countries: up to $50,000.
  • Failure to notify the Commissioner of a data breach: up to $50,000.
  • Not appointing a Data Protection Officer (DPO) when required: up to $50,000.
  • Not conducting a Data Protection Impact Assessment (DPIA) when necessary: up to $50,000.
  • Breach of the requirements for processing children's data: up to $50,000.
What are the differences between GDPR and Data Protection Law 2020?

The GDPR, applicable across the EU and to any organization processing EU residents' data, shares many similarities with the DIFC's Data Protection Law 2020, including definitions of personal and sensitive data, lawful processing bases, and data subject rights. However, key differences lie in their scope and jurisdiction; the GDPR has a broader geographic reach, while the Data Protection Law 2020 specifically applies to entities within the DIFC. Additionally, the GDPR mandates DPO appointments for public authorities and large-scale data processors, while the DIFC law requires DPOs for high-risk activities or as directed by the Commissioner. Both laws enforce strict data breach notifications and impose significant fines for non-compliance, but enforcement mechanisms and fine amounts differ.

What are the differences between Federal Decree Law No. 45 and Data Protection Law 2020?

Federal Decree Law No. 45 (UAE PDPL) applies to the entire UAE, excluding free zones like DIFC and ADGM, covering both public and private sectors and including extraterritorial processing of UAE residents' data. It is enforced by the UAE Data Office and mandates explicit consent for data processing, emphasizing data subject rights and breach notifications without a specific timeline. In contrast, the Data Protection Law 2020 (DIFC) specifically applies to entities within the DIFC, is enforced by the DIFC Data Protection Commissioner, requires a 72-hour breach notification, and outlines specific penalties for non-compliance.

illustration of means of contact

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596