DIFC entities have until 1 October 2020 to ensure that their data processing activities are compliant with the new Data Protection Law (DIFC Law 5 of 2020) (the DP Law).
Who is subject to the DP Law?
- • DIFC entities.
- • Non-DIFC entities that regularly engage with DIFC entities as part of a “stable arrangement”, which involve data being processed in the DIFC and/or transferred out of the DIFC.
Practical Guidance
1. Maintain a record of Personal Data.
2. Delete Personal Data when the purpose for processing ceases.
3. Maintain (written) consents obtained from Data Subject(s).
4. Have in place technical and organisational measures.
5. Have in place a data protection policy.
6. Ensure that notification of processing operations was submitted to the Commissioner.
7. Have in place a legally binding agreement between: (i) Joint Controllers, (ii) a Controller and a Processor, (iii) a Processor and a Sub-Processor.
Additional Guidance – Entities carrying out High Risk Processing Activities
An entity carrying out High Risk Processing Activities has the following additional requirements:
8. Appoint a Data Protection Officer.
9. Submit an Annual Assessment to the Commissioner.
10. Undertake a Data Protection Impact Assessment prior to conducting High Risk Processing Activity.
Transfer of Personal Data outside of DIFC
Personal Data can be transferred outside of the DIFC if it satisfies one of the conditions under the DP Law.
Country with Adequate Level of Protection: Personal data can be transferred out of DIFC if the recipient country has an adequate level of protection. The Commissioner determines the countries that have an adequate level of protection.
Country without an Adequate Level of Protection: If the recipient country does not have an adequate level of protection, then the transfer can be done only if certain additional requirements are satisfied.
Sanctions and Compensation
The sanctions are substantial for non-compliance of the DP Law with the maximum fine ranging from USD 20,000 to USD 100,000 depending on the breach.
Where a Data Subject suffers material or non-material damage by reason of any contravention of the DP Law, the Data Subject may apply to the DIFC Court for compensation from the Controller or Processor in addition to, and exclusive of, any fine imposed on the same parties.
In terms of the apportionment of liability between Controllers and Processors, where the Controller and Processor are held liable for the damages caused:
- A Controller involved in processing that infringes the DP Law shall be liable for damages caused.
- A Processor shall be liable for damages caused by processing only where it has not complied with the obligations specifically directed to Processors or where it has acted outside or contrary to the lawful instructions of the Controller.
- Where multiple Controller(s) or Processor(s) are involved in the processing and where each is responsible for any damage caused by the processing, each shall be held jointly and severally liable for the entire damage. ■