Alexandre Brazeau
Partner
Article
7
Following our first article on the key changes to the DPL 2020, DIFC-based companies now need practical advice on how their organisations should manage the Personal Data they Process as part of their business operations. Undefined capitalised terms in this article have the same definitions as provided in the first article of this series.
Before sharing any Personal Data with a federal governmental authority, a company's Controller must satisfy all the following conditions:
Should there be a Personal Data Breach[1] compromising the security, confidentiality or privacy of Personal Data held by your organisation, Controllers must notify the breach to the Commissioner of Data Protection ("Commissioner"). If a breach is classified as 'high risk', the Data Subjects who are affected by the breach must also be notified.
The notification must include the following information:
It is important to note that in order to demonstrate compliance with the DPL 2020, you should maintain a readily-accessible document in electronic form detailing any and all Personal Data breaches that have occurred.
Potentially yes. At the discretion of the DIFC Courts, a Controller and/or Processor[2] may be liable to pay compensation to Data Subjects whose Personal Data is affected by a breach. Unlike in the GDPR, levels of penalties are not detailed in the DPL 2020. Additionally, an administrative fine (the amount of which will be determined by the Commissioner) could be imposed.
Under the DPL 2020, the liability of Controllers and Processors is assessed as below:
Role | Liability |
---|---|
Controller | Is liable if it processes Personal Data in any manner that infringes the DPL 2020. |
Processor | Is liable if it acts in a way that is contrary to the Controller's instructions or if it has not complied with its obligations as set out by the Controller. |
Controller and Processor | Are jointly and severally liable where both are responsible for the damage caused to the Data Subjects involved. |
Your organisation must have a clear retention policy in place, setting out when the retention of Processed Personal Data is no longer necessary and must be deleted. Where the scope and purpose of Processing[3] the Personal Data no longer exists or where a Data Subject[4] requests deletion (in limited circumstances), you must ensure that the relevant Personal Data is permanently and securely deleted.
Read part 3 on practical steps for preparation.
Co-authored by Rifdi Shuhaimi and Tony Fielding.
Footnotes
[1] Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restricting, erasure or destruction of Personal Data.
[2] The identified or identifiable natural person to whom Personal Data relates.
[3] A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
[4] Any person who Processes Personal Data on behalf of a Controller.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.