DIFC Data Protection Regulations
Scope
[Section 6]
• The DIFC Data Protection law applies to the processing of Personal Data by automated means and means other than automated where the personal data forms part of a Filing system or is intended to form a part of a Filing system.
• The DIFC regulation applies to the processing of private information through a controller or a processor incorporated within the DIFC, irrespective of where the processing takes place.
• This Law applies to a Controller or Processor, irrespective of its region of incorporation, if it Processes Personal Data in the DIFC as a part of stable arrangements, aside from on an occasional basis.
• This Law applies to such Controller or Processor in the context of its Processing activity in the DIFC (and not in a Third Country), such as transfers of Personal Data out of the DIFC.
• The law does not apply to processing of personal data which has no connection to a commercial motive.
• As for the territorial scope of this law, the law applies in the jurisdiction of the DIFC, and applies to agreements entered between DIFC bodies and third country government authorities (including regulatory and public authorities established by law of a third world country); or international organisations.
Consent
[Section 12]
• Consent must be freely given by a clear affirmative act that shows an unambiguous indication of consent. Where Processing is based on consent, a Controller must be able to demonstrate that consent has been freely given.
• A Data Subject may withdraw consent at any time in accordance with the right afforded to Data Subjects. If the Processing is intended to cover multiple purposes, consent must be obtained for each purpose in a manner that is clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language.
• Other than for the purpose of a Single Discrete Incident, where a Controller relies on a Data Subject’s consent for Processing, the Controller should implement appropriate and proportionate measures to assess the ongoing validity of the consent.
Cross Border Data Transfers
[Section 40]
Transfer of data with an adequate level of protection can occur if the recipient country provides appropriate safeguard measures to protect the data, which includes:
a) The rule of law, the general respect for individual's rights, and the ability of individuals to enforce their rights via administrative or judicial redress.
b) Access of a Public Authority to Personal Data.
c) Existence of an effective Data Protection Law.
d) Transfer of data from DIFC to other countries can occur in the absence of an adequate level of protection, provided that a sufficient safeguard mechanism is in place, which also includes:
e) A Legal Binding Instrument between Public Authorities.
f) Binding Corporate Rules (BCR).
g) A Standard Data Protection Clause as adopted by the Commissioner.
Grounds for Processing Personal Data
[Section 10]
Processing under DIFC shall be considered lawful if:
a) a Data Subject has given lawful consent under the law, to the Processing of that Personal Data.
b) Processing is necessary for the performance of a contract to which a Data Subject is a party.
c) Processing is necessary for compliance with Applicable Law.
d) Processing is necessary in order to protect the vital interests of a Data Subject or of another natural person.
Processing is necessary for:
(i) performance of a task carried out by a DIFC Body in the interests of the DIFC;
(ii) exercise of a DIFC Body’s powers and functions; or
(iii) the exercise of powers or functions vested by a DIFC Body in a Third Party to whom Personal Data is disclosed by the DIFC Body
f) Processing is necessary for the purpose of legitimate interests pursued by a Controller or a Third Party to whom the Personal Data has been made available except where such interests are overridden by the interests or rights of a Data Subject. (does not mention minors)
Security
[Section 14]
The DIFC law does not have a specialised section targeted at security standards, but it embodies the same standards as the ADGM law in the text of the statute. The DIFC law mandates that the controller and processor is required to implement appropriate technical and organisational measures to demonstrate that processing is performed in accordance with the law, including ensuring a level of security that is:
a) appropriate to the risks associated with Processing, taking account of any wilful, negligent, accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of or access to Personal Data; and
b) against all other unlawful forms of Processing;
c) ensuring that, by default, only Personal Data necessary for each specific purpose is Processed. This obligation applies to the amount and type of Personal Data collected, the extent of the Processing, the period of storage and accessibility; and reviewing and updating such measures where necessary to reflect legal, operational and technical developments.
Data protection by design and by default
[Section 14]
The Controller must take appropriate steps to ensure that:
a) Processing is designed to reinforce data protection principles such as data minimisation at the time of determining the means for Processing and at the time of Processing.
b) by default, only Personal Data that is necessary for each specific purpose is Processed, and that Personal Data is not made accessible to an indefinite number of persons without the Data Subject's intervention.
Records of data processing
[Section 15]
Each Controller must maintain a detailed record of the following information:
a) name and contact details of all Controllers, its appointed DPO;
b) the purpose(s) of the Processing
c) a description of the categories of Data Subjects
d) a description of the categories of Personal Data
e) categories of recipients to whom the Personal Data has been or will be disclosed, including recipients in Third Countries and International Organisations;
f) the identification of the Third Country or International Organisation that the Personal Data has or will be transferred to
g) the time limits for erasure of the different categories of Personal Data;
h) a general description of the technical and organisational security measures.
Data Protection Impact Assessment
[Section 20]
A DPIA shall contain:
a) a systematic description of the foreseen Processing operations and the purpose(s) of the Processing and the purpose pursued by the Controller.
b) an assessment of the necessity and proportionality of the Processing operations.
c) identification and consideration of the lawful basis for the Processing, including:
i. where legitimate interests are, an analysis and explanation of why the Data Subject’s rights are not overridden
ii. where consent is the basis for Processing, validation that such consent is validly obtained, consideration of the impact of the withdrawal of consent.
d) assessment of the risks to the rights of Data Subjects;
e) measures envisaged to address the risks, including safeguards, security measures and
f) mechanisms to ensure the protection of Personal Data and to demonstrate compliance.
Data Protection Officer
[Section 18]
DPO shall perform at least the following tasks:
Monitor a controller or processor’s compliance with:
i. DIFC law
ii. Any other data protection or privacy-related laws or regulations to which the organisation is subject within the DIFC
iii. Any policies relating to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff
b) Inform and advise a controller or processor and its employees who carry out processing of its obligations.
c) Provide advice where requested in relation to DPIAs
d) Cooperate with the commissioner
e) Act as the contact point for the commissioneron issues relating to processing
f) Receive and act upon any relevant findings, recommendations, guidance, directives, resolutions, sanctions, notices or other conclusions issued or made by the commissioner.
Data Breach Notifications
[Section 41]
If an incident has occurred that leads to a Personal Data Breach that compromises a Data Subject's confidentiality, security or privacy, the Data Controller involved should notify the Personal Data Breach to the Commissioner as early as possible.Data Controllers or Processors should fully co-operate with any investigation of the Commissioner in relation to a Personal Data Breach.The notification to be shared with the Commissioner should:
a) Include the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate amount of Personal Data records concerned.
b) Communicate the name and contact details of the DPO or other contact point where more information can be obtained.
c) Describe the likely consequences of the Personal Data Breach and the measures taken to mitigate the risk.
d) When a Personal Data Breach is likely to result in a high risk to the security or rights of a Data Subject, the Controller shall communicate the Personal Data Breach to an affected Data Subject as soon as practicable in the circumstances.
Compliance for Processors
[Section 24]
• Data Processors need to have a legally binding written agreement with Data Controllers when the processing will be performed on behalf of the Data Controller.
• Like Data Controllers, Data Processors also need to implement technical and organizational measures to protect the Personal Data of Data Subjects.
• Data Processors should also maintain a written record of all the categories of processing activities which are carried out on behalf of the Data Controller.
Data Processors can engage another processor to act as a Data Sub-Processor if they have written authorization from the Data Controller.
Redressal Mechanisms
Lodging complaints and mediation[Schedule 60]
a) A Data Subject who contends that there has been a contravention of the Law or an alleged breach of his rights under the Law may lodge a complaint with the Commissioner.
b) Multiple Data Subjects affected by the same alleged contravention or breach of rights may raise such complaint collectively.
c) The Commissioner may investigate the matters that are the subject of the complaint or mediate between the complainant and the relevant Controller or Processor.
Penalties:[Schedule 2]
a) The Data Protection Law imposes administrative fines that may be applied for contraventions of this Law.
b) The details of these fines are listed under Schedule 2 of the Law which may be updated from time to time. The penalties range from USD 10,000 to USD 100,000 as per non-compliance to specific articles listed out in the Law.
Conclusion
The ADGM Data Protection Law deals with data rights, transfer of data, complaint mechanisms arising within the ADGM. The Data Protection Law of the DIFC deals specifically with the provisions of providing standards for the processing and free movement of Personal Data by the Controller and Processor while protecting the fundamental rights of the data subjects within the DIFC jurisdiction. When analysing the adequacy of the level of protection of Personal Data, the Commissioner of Data Protection must take into account:
The rule of law, respect for individuals’ rights, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to Personal Data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of Personal Data to another jurisdiction, sector or International Organisation. Existence and effective functioning of one or more independent supervisory authorities in the receiving jurisdiction. international commitments the receiving jurisdiction, sector or International Organisation concerned has entered into. [Section 41] While ADGM and DIFC give a more comprehensive and detailed grounds for processing personal data, they can be found to be very similar to each other; the only difference being the jurisdiction under which they function under. The DIFC provisions for security seem vaguer and more open ended than AGDM and HDPR. The Act itself recognises the principles as more general than specific. This may result into the act’s detriment to curb inappropriate security standards set out by corporates. Besides the accountability measures mentioned, the ADGM law also has promulgated guidelines to the formation of binding corporate rules which felicitate the accountability functionaries in the data protection sphere.
The records of data processing in both ADGM and DIFC laws are similar, not unlike the other measures in the laws; however, DIFC law mandates the maintenance of the name and contact details of the DPO as well, while the ADGM law does not mandate anything of this sort.
The DIFC law does not promulgate any guidelines to the formation of binding corporate rules. In fact, it only mentions the phenomenon to note the derogations in the “Transfers out of the DIFC in the absence of an adequate level of protection” section of the law. [Section 27]
Binding Corporate Rules in the ADGM must specify at least:
a) the structure and contact details of the Group
b) the details of the data transfers, including the categories of Personal Data, the type of Processing and its purposes, the type of Data Subjects affected and the identification of the relevant jurisdiction(s)
c) legally binding nature, both internally and externally
d) application of the general data protection principles, including purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for Processing, Processing of Special Categories of Personal Data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the Binding Corporate Rules
e) rights of Data Subjects and the means to exercise those rights,
f) tasks of any Data Protection Officer designated
g) the complaint procedures;
h) mechanisms within the Group for monitoring compliance with the Binding Corporate Rules
i) procedures for reporting and recording changes to the rules and reporting those changes
j) data protection training provided to personnel with permanent or regular access to Personal Data
The ADGM mandates only a documented form of insIn the ADGM if a Controller or Processor intentionally or negligently, for the same or linked Processing operations, contravenes several provisions of these Regulations, the total amount of the administrative fine must not exceed USD 28 million. [Section 55] No such limit has been implemented in the DIFC reg; only a per violation penalty has been given in the Schedule 2 of the act.tructions while the DIFC mandates a legally binding written agreement.
Kindly read the complete UAE personal Data Protection Act at Microsoft Word - UAE Federal Decree 45 of 2021 on Personal Data Protection - English - Clean (dpo-india.com)
Kindly also read the DIFC_data_protection_law.pdf (dpo-india.com)
We at Data Secure (DATA SECURE - Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.
We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India Digital Personal Data Protection Bill 2021. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.
For downloading various Global Privacy Laws kindly visit the Resources page in Resources (dpo-india.com)
Kindly write to us at info@borderless-data.com for six steps solution for Lawful Borderless Data Transfer Solution.