Data protection regimes generally aim to strike a balance between the legitimate need for the processing of personal data by organisations in the ordinary course of business and an individual’s right to privacy with respect to such processing of their personal data. Yasmene Cerfontyne, in the Banking & Finance team at Hadef & Partners considers the legal position on DIFC data privacy and protection.
The various laws relating to privacy issues in UAE ‘onshore’ can be found spread across a number of sources of legislation. The DIFC however has a discrete data protection regime and we are often approached by clients seeking data protection advice with respect to the DIFC specifically, in order to ensure they remain compliant with any data protection obligations.
This Q & A considers some of the key aspects of data protection as set out in the legislative framework for data protection in the DIFC.
1. What law governs data protection in the Dubai International Financial Centre (DIFC)?
In the DIFC data protection is governed by the Data Protection Law DIFC Law No.1 of 2007 as amended (Data Protection Law), there are also Data Protection Regulations (Regulations).
2. Who regulates data protection in the DIFC?
The DIFC Commissioner of Data Protection is responsible for administering the Data Protection Law and the Regulations.
3. What is the scope of the Data Protection Law?
The Data Protection Law sets out the regulatory requirements in relation to the use, collection, handling and disclosure of ‘Personal Data’ and ‘Sensitive Personal Data’ in the DIFC, as well as transfers of personal data outside of the DIFC.
4. What does ‘Personal Data’ mean and how does ‘Sensitive Personal Data’ differ?
‘Personal Data’ is defined under the Data Protection Law as any ‘Data’ relating specifically to an identifiable natural person (i.e. a ‘Data Subject’). ‘Data’ itself includes information that is processed by automated means, recorded with the intention that the data should be processed by such equipment, or information that is recorded as part of a relevant filing system. The scope of ‘Personal Data’ is therefore quite broad and potentially far reaching.
‘Sensitive Personal Data’ is specifically defined under the Data Protection Law to include personal data that directly or indirectly reveals certain personal factors in respect of the ‘Data Subject’ such as race, ethnic origin, communal origin, political affiliations, religion, philosophical beliefs, criminal record, trade union membership, health or sex life. Due to its nature, ‘Sensitive Personal Data’ is subject to additional protection under the Data Protection Law.
5. What is the difference between a ‘Data Controller’ and ‘Data Processor’?
A ‘Data Controller’ is an entity or individual in the DIFC that determines the means and purpose of the ‘Processing’ of ‘Personal Data’ (‘Processing’ is widely defined and covers almost any operation involving personal data). A ‘Data Processor’ is an individual or entity that processes ‘Personal Data’ on behalf of the ‘Data Controller’.
6. When can a ‘Data Controller’ process ‘Personal Data’ or ‘Sensitive Personal Data’?
The Data Protection Law provides for certain general requirements where a ‘Data Controller’ carries out processing of ‘Personal Data’ including, among other things, that the processing is carried out (i) in a fair, lawful and secure manner (ii) for specific and legitimate purposes (iii) in a way that is compatible with the data subjects rights (iv) proportionately to the purpose and not excessively.
There are specific grounds outlined under the Data Protection Law in relation to the legitimate processing of ‘Personal Data’ and ‘Sensitive Personal Data’. These provide conditions within which ‘Processing’ may take place.
‘Processing’ of ‘Personal Data’ may be carried out and is noted under the Data Protection Law as legitimate processing where, for example:
- written consent of the ‘Data Subject’ has been obtained
- processing is required in order to perform a contract to which the ‘Data Subject’ is party
- processing is required by virtue of a legal obligation applicable to the ‘Data Controller’
- processing is required in order to perform a task in the interests of the DIFC or as may be required in certain circumstances by the DIFC authority, Dubai Financial Services Authority, the DIFC court and the Registrar, or processing is required for the legitimate interests of the ‘Data Controller’ (unless such interests are overridden by compelling legitimate interests of the ‘Data Subject’).
There are also various grounds stipulating where ‘Sensitive Personal Data’ may be processed. While beyond the scope of this Q & A to outline every single ground, some bear similarities to the grounds for the ‘Processing’ of ‘Personal Data’, such as obtaining the written consent of ‘Data Subject’. Other grounds provided are distinct to the ‘Processing’ of ‘Sensitive Personal Data’ such as where the ‘Sensitive Personal Data’ is made publicly available by the ‘Data Subject or where ‘Processing’ is required in order to adhere to certain regulatory requirements such as anti money laundering, auditing, accounting or counter terrorist financing obligations. Which ground would be applicable in a given scenario would vary depending on the circumstances of the case.
Alternatively to satisfy one of the grounds, a ‘Data Controller’ may apply for a permit from the Commission of Data Protection for the ‘Processing’ of ‘Sensitive Personal Data’.
7. What rights does a ‘Data Subject’ have?
As well as protecting the interests of a ‘Data Subject’ generally, the Data Protection Law provides for certain specific rights. By way of example, a ‘Data Subject’ has the right, subject to reasonableness, to request written confirmation from the data controller of whether ‘Processing’ of any ‘Personal Data’ relating to the ‘Data Subject’ is taking place as well as the purpose of such ‘Processing’, categories of ‘Personal Data’ concerned and who it will be disclosed to. As may be appropriate to the circumstances, the ‘Data Subject’ has the right to rectification, erasure or blocking of certain ‘Personal Data’ where ‘Processing’ of the same is incompatible with the provisions of the Data Protection Law. A ‘Data Subject’ also has the right to object to ‘Processing’ of his or her ‘Personal Data’ on reasonable grounds.
8. Is there any record keeping or notification requirements under the Data Protection Law?
In addition to the obligation upon ‘Data Controllers to establish and maintain records of personal data ‘Processing’ operations, a ‘Data Controller’ is subject to certain notification requirements under the Data Protection law and Regulations. In particular, a ‘Data Controller’ is required to notify the Data Protection Commissioner where:
- ‘Processing’ concerns ‘Sensitive Personal Data’; and
- the transfer of ‘Personal Data’ takes place to a recipient outside of the DIFC which is not subject to laws and regulations that ensure an adequate level of protection.
There are other requirements of notification under the Data Protection Law, for example, where there has been an intrusion/security breach of a ‘Data Controllers’ database.
9. How is it determined whether a transfer of ‘Personal Data’ outside of the DIFC is to a jurisdiction with an adequate level of protection?
The DIFC has specifically listed the jurisdictions that are considered to have an adequate level of protection for the purposes of transfers of ‘Personal Data’ outside of the DIFC.
10. What liability, sanctions and remedies are applicable where there has been a breach of the Data Protection Law?
If a ‘Data Controller’ has breached the Data Protection Law a ‘Data Subject’ is able to lodge a complaint with the Commissioner of Data Protection who may conduct an inspection, issue a direction, mediate, or impose financial penalty upon the ‘Data Controller’.
There are various fines that may be imposed depending on the particular breach. Fines range from $5,000 to $25,000.
If a ‘Data Subject’ suffers damage due to a breach of the Data Protection Law by a ‘Data Controller’ they may apply to the DIFC courts for compensation.
This article, including any advice, commentary or recommendation therein, is provided on a complimentary basis, without consideration of any specific objective, circumstance or need. It reflects views of the writer which may differ from those of the firm. Having read this article, any person taking action, or refraining from taking action, does so at their sole risk.