Revealed: Key facts about the new data protection law issued by Dubai’s DIFC

The Dubai International Financial Centre (DIFC) has introduced a new data protection law, which comes into effect from July 1, 2020.

The ‘Data Protection Law 2020’ aims to enhance DIFC’s current regime around data, security and privacy best practices. Businesses to which the law applies will have a three-month grace period – until October 1 – to adhere to the new legislation, after which it would be enforceable.

Here’s a list of key facts pertinent to the new law.

• • It applies in the jurisdiction of the DIFC and covers the processing of personal data by automated and other means where such data forms/intends to form a part of a filing system.
  • It applies to the processing of personal data by a controller or processor incorporated in the DIFC, regardless of where the processing takes place.
  • It does not apply to the processing of personal data for purely personal/household activity that has no connection to a commercial purpose.
  • Personal data must be processed lawfully and transparently in relation to a data subject; must be processed for legitimate purposes specified at the time of collection; kept accurate, up to date, and secure, etc.
  • Processing of personal data that involves its transfer from DIFC to a third country or an international organisation may take place only if an adequate level of protection is ensured by applicable law.
  • In select cases, a data subject shall have the right to restrict processing.
  • Processing personal data is justified: when a data subject gives consent or to protect his vital interests; when necessary for a contract; to exercise DIFC’s powers/functions; for DIFC to carry out a task in its interest, etc.
  • A controller or a processor is required to implement appropriate measures to demonstrate that the processing is performed as per this law
  • A controller or processor that collects or processes personal data shall maintain a data protection policy in writing that is proportionate and consistent
  • A controller should maintain a written record – possibly in an electronic form – of processing activities under its responsibility.
  • In case of a breach that compromises a data subject’s privacy, the controller shall notify the commissioner.
  • A processor must notify a relevant controller after becoming aware of a personal data breach.
  • A controller or processor are to cooperate with any investigation of the commissioner in relation to a data breach.

Expert Insights:
“The recently announced changes to the DIFC Data Protection Law and Regulations propels the DIFC to obtain recognition from the European Commission, the UK and other jurisdictions around the world. If the changes to the law are seen to provide an ‘adequate’ level of protection to data, recognised as an equivalent standard in each of these jurisdictions, then businesses operating in the DIFC will be able to transfer data into and out of the DIFC to these jurisdictions with much more ease” – Marie Chowdhry, senior associate financial services, Pinsent Masons Middle East

“The new law should further establish the DIFC as an attractive environment in which to work and do business, and position it as a safe and top-tier jurisdiction when it comes to data protection issues ” – Dino Wilkinson, partner and head, technology, media and telecommunications (TMT) team at Clyde & Co in the Middle East