DIFC Data Protection Regulations

DIFC has released Data Protection for the companies operating in DIFC. The DP Law 2020 specifies particular obligations, including notifications to the Commissioner, fines and sanctions, and foreign data transfers. The DIFC Data Protection Regulations 2020 outline the processes and requirements for these commitments

In this article we will be diving deep about this interesting topic DIFC Data Protection Regulations.

Now, let us see what it means !

DIFC : Data Protection

– The Data Protection Law DIFC Law No. 5 of 2020 (DIFC DP Law) and the Data Protection Regulations are new laws governing data protection in the Dubai International Financial Center (DIFC) (DIFC DP Regulations, and together with the DIFC DP Law, DIFC DP Legislation).
    – The Data Protection Law DIFC Law No. 1 of 2007 was replaced by the DIFC DP Legislation, which went into force on July 1, 2020. Businesses do, however, have until October 1, 2020, for a three-month grace period to complete full compliance.
    – The DP Law 2020 specifies particular obligations, including notifications to the Commissioner, fines and sanctions, and foreign data transfers. The DIFC Data Protection Regulations 2020 outline the processes and requirements for these commitments.

Why Does It Matter

    – Information has never been easier to access and communicate in an age of accelerated technological advancements and growing globalization. Every day, more businesses, and in particular banks and financial institutions, process and exchange personal data electronically and across international borders.
    – Any information pertaining to a live person that specifically identifies him or her is considered personal data. In certain circumstances, personal data can include biometric information, images, and even IP addresses. Subjective or personal information, such as a person’s race, religion, or political or philosophical opinions, is referred to as special category data.
    – Processing and improper management of any form of personal data, whether done voluntarily or involuntarily, can have substantial repercussions, including the possibility of suffering serious financial or other losses. By creating effective data protection regulations and enforcing legal measures to secure and preserve Personal Data and its processing, it is essential that people’s right to privacy be safeguarded.

Who Is Affected by the DIFC DP Legislation?

According to the DIFC DP Law, the following are covered :
    1. Companies incorporated in the DIFC, regardless of whether the Personal Data Processing
    whether or whether data occurs within the DIFC)
    1. Companies that use stable agreements other than contracts to process personal data in the DIFC regardless of where they were incorporated, occasionally
    → Point 1 is self-explanatory; however, what are the “stable arrangements” that Point 2 refers to?
    → The DIFC DP Legislation does not define this term, leaving it up for interpretation in terms of enforcement), although the DIFC Guide says that stable arrangements can include a contract with legal force and effect that acknowledged or bound a valid, long-standing connection or arrangement.

Utilization and Elucidation

– Any reference to the Law in these Regulations is to the Data Protection Law of 2020.
    – Any individual to whom the Law applies is subject to these Regulations.
    – The Law defines words, which are indicated throughout these Regulations by capitalizing the first letter of a word or phrase. An expression’s natural meaning is preserved when the first letter is not capitalized.
    – Unless the contrary intention is clear, any reference in these Regulations to a statutory provision refers to that provision as amended and includes references to that provision as it has been extended or applied by or under any other law.
    – The following guidelines apply unless otherwise stated :
        – words importing the masculine gender include words importing the feminine gender, and vice versa
        – words importing the singular gender include words importing the plural
    – These Regulations are subject to the Law’s interpretational guidelines.

Rights and Obligations of Data Controllers

    – Data Controllers are required to handle Personal Data in an ethical and legal manner.
    – Personal data must only be processed for a clear, unambiguous, and legal reason that was established at the time of collection and supported by legal justifications for the processing.
    – Data controllers are required to promptly erase or correct outdated data to keep it accurate and current.
    – A suitable set of technical and organizational safeguards should be put in place to keep data secure and protect it from unauthorized or unlawful processing, unintentional loss, destruction, or damage.
    – The Data Subject must be informed of the following by the Data Controller:
        – The identity of the Data Controller and their details.
        – The reason for gathering the data.
        – The data subject must give permission for the data controller to process their personal information.
        – Other parties that the Data Controller will involve in the processing and with whom they will share the data.

Rights and Obligations of Data Processors

    – When processing is carried out on behalf of a data controller, a data processor and data controller must have a binding written agreement.
    – Data Processors, like Data Controllers, must put in place organizational and technical safeguards to safeguard the Personal Data of Data Subjects.
    – Additionally, Data Processors are required to keep a documented record of all kinds of processing actions performed on behalf of the Data Controller.
    If they have written consent from the data controller, data processors may employ another processor to function as a data sub-processor.

Data subjects’ Rights

    The following list summarizes each Data Subject’s key legal rights.
    – Right to Refuse Consent
    – Rights to Personal Data: Rectification, Erasure, and Access
    – Right to Refusal of Processing
    – The ability to restrict processing
    – The freedom to transfer data
    – Profiling is a component of automated individual decision-making.


    – For violations of this Law, the Data Protection Law imposes administrative fines that may be used.
    – The specifics of these punishments are detailed in Schedule 2 of the Law, which may occasionally be modified.
    – According to the precise articles specified in the Law that are not followed, there are fines ranging from USD 10,000 to USD 100,000.

DIFC : Additional Key Notes

    – Organizations handling personal data must do it legally, fairly, and openly in regard to the data subject. When processing data, it should be clear, unambiguous, and for legal reasons that were established at the time that the personal data was collected.
    – It is necessary to put in place a privacy policy that outlines the reasons for the organization’s data collection, how the data will be stored, transmitted, and protected, as well as how the data subject can exercise their rights to obtain information about their data.
    – Organizations operating in or incorporated in the DIFC should be aware that data protection compliance is a continuous process. To prevent fines or legal repercussions, it is a continual journey to adhere to data protection standards and maintain compliances.
    – Since data migration occurs globally and data protection standards vary in one way or another depending on the local law, organizations must also be aware of the current and upcoming Data Protection compliances across nations.


    That’s all about the DIFC Data Protection Regulations. After reading this essay, I hope you found it enjoyable and learned something new. We have learned what is

Call Us