Data Protection Rules In The Dubai International Financial Centre

By Arti Sangar

Arti Sangar is a partner in the Dubai offices of Diaz Reus LLP

Businesses in the Dubai International Financial Centre (DIFC) and in particular, banking and financial organizations are increasingly processing and exchanging individual data electronically. Many businesses, understandably, consider data protection irrelevant to their operations and are not aware of its effects. Many companies may even find these rules difficult to understand and are often not clear what they need to do under the data protection rules and how they should record and process data. However, if data protection rules are ignored, businesses can run into major trouble, and can consequently face hefty fines and sanctions. Businesses in the DIFC must therefore ensure that care is taken when any data is processed in the DIFC, including personal data relating to employees working in the DIFC. This article aims to provide an overview of the data protection legislation in the DIFC.

The collection and use of personal data in the DIFC is governed by the DIFC Data Protection Law 2007 (the “DPL”). The rules set out in the DPL apply to a data controller, that is, any person or entity who is responsible for determining the purpose for which, and the manner in which, personal data is processed. Therefore, if an organization decides to collect and use personal data, the organization will be deemed to be the data controller.  It is noteworthy that a data controller cannot absolve itself of the obligations under the DPL by outsourcing processing activities to a third-party service provider.

The DPL essentially requires the data to be processed accurately, securely, fairly and lawfully. Particular care should be taken when ‘sensitive’ personal data is processed in the DIFC. Under the DPL, specific obligations apply to the processing of personal data which is ‘sensitive’ in nature. Personal information is considered to be ‘sensitive’ if it relates to ‘racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life’. The DPL establishes a DIFC Commissioner of Data Protection who is responsible for, among other things, administering the DPL and developing policies to promote greater awareness of the DPL.

The DPL also sets out the requirements for transferring personal data that originates within the DIFC to areas outside the DIFC. All DIFC registered entities are required to obtain a permit from the Commissioner of Data Protection for the transfer of data out of the DIFC. A transfer of personal data to a recipient located in a jurisdiction outside the DIFC may take place only if that jurisdiction is deemed to have an ‘adequate level of protection’. Those jurisdictions which are considered to have an ‘adequate level of protection’ include all of the European Union countries. Notably, neither the United Arab Emirates nor the United States is considered to be a jurisdiction with an ‘adequate level of protection’ under the DPL.

The DPL grants data subjects certain rights, including rights to access, rectify or block personal data, to seek and obtain confirmation from data controllers as to whether or not personal data which relates to them is being processed and, if it is, why it is being processed. Data subjects also have the right, under the DPL, to object to the processing of personal information which relates to them and to object to that information being disclosed to third parties.

Businesses operating in the DIFC should be fully aware of, and comply with, their obligations under the DPL and ensure that they have adequate policies and procedures in place to protect themselves and the personal data that they process. As a DIFC registered law firm, we can assist you to understand the DPA. We understand the complexities of doing business and are capable of assisting multinational companies and financial institutions to manage legal, regulatory and operational risk. Our expertise includes not just data protection, but also the complex anti-money laundering and regulatory compliance processes.