Alexandre Brazeau
Partner
Article
8
Organisations operating within the Dubai International Financial Centre (DIFC) will be legally obligated to comply with the Data Protection Law 2020 ("DPL 2020") by 1 October of this year. The DPL 2020 aligns the DIFC's data protection framework with international best practices, i.e. the EU's General Data Protection Regulation ("GDPR") and the USA's California Consumer Privacy Act.
If your DIFC-based business involves Processing[1] Personal Data[2], you need to be aware that the new DPL 2020 will come into effect from 1 October 2020. To the extent that you are already compliant with the DIFC's existing Data Protection Law and Regulations, there are only a few months left to prepare your business and to comply with the additional requirements imposed, as set out below.
Similar to the GDPR, one of the main changes brought about by the DPL 2020 is to grant additional rights to Data Subjects[3] to:
When Processing Personal Data, organisations must fulfil the following:
If Processing Personal Data, you will have to demonstrate compliance with these rules to the Commissioner of Data Protection ("Commissioner") and implement appropriate technical and organisational measures to protect Personal Data against loss, destruction or damage.
In short, no. Only businesses that carry out activities that qualify as "High Risk Processing Activities" require the appointment of a DPO. These high risk activities include Processing where:
The role of the DPO will mainly be to monitor and assist an organisation with its compliance obligations and to prepare and submit annual assessments and data protection impact assessments to the Commissioner.
Yes, subject to certain conditions. A company may only share Personal Data abroad if it is:
Furthermore, companies will need to abide by the DPL 2020 guidelines if a governmental authority outside the DIFC requests the transfer of Personal Data.
For further information on data protection laws in the UAE please contact Alexandre Brazeau in our Gowling WLG Dubai office.
Read part 2 on how to manage personal data and part 3 on practical steps for preparation.
Co-authored by Rifdi Shuhaimi and Tony Fielding.
Footnotes
[1] Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restricting, erasure or destruction of personal data.
[2] Any information referring to an identified or identifiable natural person.
[3] The identified or identifiable natural person to whom personal data relates.
[4] Any person who, alone or jointly with others, determines the purposes and means of Processing personal data.
here
[5] Personal data revealing (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life, including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.