Key Facts: Law about New Data Protection released by Dubai’s DIFC
A new law about data protection has been issued by the Dubai International Financial Centre (DIFC), that will be coming into effect from the 11th of July, 2020.
The Dubai International Financial Centre (DIFC)’s current regime revolving around security, privacy and data will enhance due to the ‘Data Protection Law 2020’, which aims towards this change. All businesses that fall under this law will be given a timeframe of three months as grace period, to follow the new legislation. The grace period will last till the 1st of October, after which the law will be enforceable on all.
Let’s discuss the list of relevant key facts in the new law.
- It covers the process of personal data with automation and other ways where the data intends to create a part of the filing system and falls in the jurisdiction of DIFC.
- A processor or controller is included in the DIFC, which processes personal data. This is regardless of the location of processing.
- No personal data is processed for household/personal use. It only applies for commercial purposes.
- Personal data has to be used and processed in a transparent and lawful way in relation to a subject. It should be processed only for legitimate reasons and purposes, which need to be, specified whenever it is collected. Moreover, it should be kept secure, accurate and up to date.
- A sufficient amount of protection is needed when personal data has to be transferred from DIFC to an international corporation or a third country. This is ensured by the new law.
- The right to limit processing can be applied on a data subject, in selective cases.
- If a data subject has given their consent, personal data can be processed with justification. This is also the case when the data subject has to protect their interests; to exercise functions of DIFC, when needed for a contract or for when DIFC needs to operate a task in its interest.
- Appropriate measures are to be implemented by a processor or controller to show that the law is being strictly followed as required.
- A processor or controller is to maintain the data protection policy in consistent and appropriate writing when dealing with processing, or collecting of personal data.
- Processing activities should be recorded, preferably with electrical forms, by the controller.
- If there is a breach of contract, that compromises the personal data or privacy of the data subject, the controller has to inform the commissioner in charge.
- A relevant controller should be notified by a processor after learning about a breach of personal data.
- Full cooperation is expected from the controller and processor if any investigation starts due to the breach.
Insights of experts:
There have been talks about how the businesses in Dubai will prosper and move data in and out of the DIFC with more ease if the DIFC Data Protection Law works out. If it propels, the DIFC will obtain the recognition of the UK, the European Commission and many more jurisdictions.