DIFC has enacted a new data protection law


The Dubai International Financial Centre (DIFC) has introduced a new data protection law, which came into effect from 1st July 2020.

The ‘Data Protection Law 2020’ aims to enhance DIFC’s current regime around data, security and privacy best practices. Businesses to which the law applies will have a three-month grace period (until October 1st 2020) to adhere to the new legislation, after which it will be enforceable.

Some key points to consider are:

  • It applies to the jurisdiction of DIFC and covers the processing of personal data by automated and other means where such data forms/intends to form a part of a filing system.
  • It applies to the processing of personal data by a controller or processor incorporated in the DIFC, regardless of where the processing takes place.
  • It does not apply to the processing of personal data for purely personal/household activity that has no connection to a commercial purpose.
  • Personal data must be processed lawfully and transparently in relation to a data subject; must be processed for legitimate purposes specified at the time of collection; kept accurate, up to date, and secure, etc.
  • Processing of personal data that involves its transfer from DIFC to a third country or an international organisation may take place only if an adequate level of protection is ensured by applicable law.
  • In select cases, a data subject shall have the right to restrict processing.
  • Processing personal data is justified: when a data subject gives consent or to protect his vital interests; when necessary for a contract; to exercise DIFC’s powers/functions; for DIFC to carry out a task in its interest, etc.
  • A controller or a processor is required to implement appropriate measures to demonstrate that the processing is performed as per this law.
  • A controller or processor that collects or processes personal data shall maintain a data protection policy in writing that is proportionate and consistent
  • A controller should maintain a written record – possibly in an electronic form – of processing activities under its responsibility.
  • In case of a breach that compromises a data subject’s privacy, the controller shall notify the commissioner.
  • A processor must notify a relevant controller after becoming aware of a personal data breach.
  • A controller or processor are to cooperate with any investigation of the commissioner in relation to a data breach.

The Board of Directors of the DIFC Authority has also issued new Data Protection Regulations that set out the procedures for notifications to the Commissioner of Data Protection, accountability, record keeping, fines and adequate jurisdictions for cross-border transfers of personal data.

Please contact us for more details.