Dubai International Financial Centre (DIFC) Data Protection Law 2020

Fichte & Co. | View firm profile

His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE has enacted the new Dubai International Financial Centre (DIFC) Data Protection Law, which comes into force from July 1, 2020.

Our Senior Associate, Dr. M.L. VODA talks about the new regulation which includes general fines for serious breaches of the Data Protection Law, in addition to or instead of administrative fines, as well as increased maximum fine limits, that have been introduced.

A revisited legal regime and a building block for the high standards of the financial center

 

From July 1, 2020, the date of entry into force of the new DIFC Data Protection Law, the financial center will enhance their already existing standalone data protection regime. This is expected to align the DIFC to the existing standards brought by the General Data Protection Regulation (The “GDPR”) or by other existing international instruments in force.

Law no. 5 of 2020, the Data Protection Law, is a new compliance requirement for Controllers and Processors operating under the remit of DIFC. By this, we understand companies and their relevant officers that administer information in relation to a Data Subject. A Data Subject hence represents an identified or identifiable natural person and to whom such personal data relates.

In brief, the Data Protection Law makes the processing, transfer, storage, and management of Personal Data a controlled environment, with increased liabilities for Processors and Controllers toward the way they safeguard and protect such data entrusted to them.

From the beginning, the precondition for any lawful processing of Personal Data is the unequivocal and clear consent of the Data Subject. In furtherance, the allowable actions of the Controller or Processor in relation to the data lawfully obtained differ, proportionally with the risks involved by the processing activities. Briefly, a Processor or Controller would need to ensure and guarantee that a Personal Data Breach would not occur or, in case it does, to indemnify the subject and suffer sanctions from the Data regulating body, called Commission for the purposes of the Data Protection Law.

Risk wise, a data processing activity that implies uses of technology (usually administered via third parties) or processing of a high amount of data at once or processing of data where an individual would be subject to automated or repeated screening (also looked at as Profiling), are considered as High-Risk Activities under the new Data Protection Law, with increased correlative obligations on the part of the Processor to grant security, integrity, and privacy, both for the data and for the Data Subject that the data relates to.

In furtherance, the Data Protection law emphasized on a taxonomy which is not new for lawyers, namely that not all data relating to a natural person is treated under the same safety standards and not all data has identical circulation regime. The Law makes clear reference in this respect to Special Categories of Personal Data, by this understanding data “revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data” of a person. Special Categories of Personal Data shall not be processed, unless this is happening in strict conditions, inter alia with the express consent of the Data Subject, or if such data reached public domain at the decision of the Data Subject or for strict, pre-defined cases of administration of justice.

In this respect, the appointment of a DPO (Data Processing Officer) is, under the new law, a mandatory condition for the entities processing Special Categories of Personal Data, with increased responsibilities toward the Data Subject and the Commissioner at the same time.

Whereas the DPO appointment is an element of novelty in the Personal Data regime at DIFC, the new Law adds on this and marks a few other new areas of regulation:

  • The DIFC entities would need to make sure that sharing or transfer of Personal Data into another jurisdiction meets the necessary safeguards under an “adequate level of protection test”;
  • Personal Data retention needs to be made in writing, according to the standards and thresholds implied by the new Law;
  • The new Law provides upgraded protocols in case of data breaches and a new sanctions regime for the entities that fail to comply with its requirements.

Being a new and sensitive compliance requirement, the DIFC entities may wish to at first analyze the level and quantity of Personal Data they process and the purposes of such processing. Whereas the new Law enhances the array of rights available to the Data Subjects, including their “right to be forgotten”, Processors and Controllers of such data would need to ensure that such compliance standards are met.

Notably, our Technology, Media and Telecom team usually advises on such matters, in the Middle East and abroad, and can support DIFC entities in a variety of areas (enumeration is nonlimitative):

  • Assessments of current data policies and standards considering the new Law.
  • Legal consultancy for various Data Protection or Cybersecurity matters, including contracting with third party suppliers, such as data automation platforms.
  • Review and updates on contracts considering the new Law.
  • The legal process in case of data breaches.

Last but not least, this new compliance requirement in DIFC is subject to a 3 months’ transition period from the time of entry into force of the new Law, at the lapse of which it is expected that Controllers to be fully aligned with these new standards in order to avoid sanctions.

 

More from Fichte & Co.