Table of Contents
Part 1: INTRODUCTION AND SCOPE
PART 2: GENERAL REQUIREMENTS
PART 3: JOINT CONTROLLERS AND PROCESSORS
PART 4: DATA EXPORT AND SHARING
PART 5: INFORMATION PROVISION
PART 6: RIGHTS OF DATA SUBJECTS
PART 7: PERSONAL DATA BREACHES
PART 8: THE COMMISSIONER
PART 9: REMEDIES, LIABILITY AND SANCTIONS
PART 10: GENERAL EXEMPTIONS
REGULATION 10 ON PERSONAL DATA PROCESSED THROUGH AUTONOMOUS AND SEMI-AUTONOMOUS SYSTEMS
PART 10
GENERAL EXEMPTIONS
65. General exemptions
(1) The DIFCA Board of Directors may make Regulations exempting Controllers from compliance with this Law or any parts of this Law. Such Regulations shall be consistent with the principles contained within this Article.
(2) Without limiting the generality of Article 65(1), and having regard to the fundamental rights and legitimate interests of the Data Subject, Articles 26, 29, 30, 32, 33, 34, 35, 37, 38, 39 and 42 shall not apply to a DIFC Body, where such DIFC Body acts as a Controller, if, and only to the extent that, compliance with such Article would in any case be likely to cause material prejudice to the proper discharge by such DIFC Body of its powers and functions under any laws administered by it (including any delegated powers and functions), provided that such powers and functions:
(a) are designed for protecting members of the public against financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other banking and financial activities and services, including insurance and reinsurance services, financial markets and financial and monetary brokerage services;
(b) are designed for protecting members of the public against dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services; or
(c) are designed for the detection, investigation and prosecution of criminal or unlawful behaviour.
(3) A DIFC Body shall maintain a register of any case where it relies on an Article 65(2) exemption, setting out:
(a) the Article concerned, to the extent that the exemption is a necessary and proportionate measure to carry out the powers and functions described in Article 65(2)(a) to (c); and
(b) the reasons for reliance on the exemption in such case.
(4) The Commissioner may inspect the register referred to in Article 65(3) and may at any time request additional information, raise a query or an objection to the exemption or conduct an investigation into the Applicable Law, regulation or public policy that supports the exemption to determine whether the exercise of the exemption complies with this Law.
(5) A DIFC Body that contravenes Article 65(2) by invalidity relying on an exemption shall be subject to any of the remedies, liabilities and sanctions set out in Part 9.
SCHEDULE 1
1. Rules of interpretation
(1) In this Law, unless otherwise provided, a reference to:
(a) a statutory provision includes a reference to the statutory provision as amended or re-enacted from time to time;
(b) a “person” includes any natural person, body corporate or body unincorporate, including a company, partnership, unincorporated association, government or state;
(c) an obligation to publish or cause to be published a particular document shall, unless expressly provided otherwise in this Law, include publishing or causing to be published in printed or electronic form;
(d) a “day” means a calendar day, unless expressly stated otherwise. If an obligation falls on a calendar day which is either a Saturday, Sunday or an official public holiday, the obligation shall take place on the next calendar day which is a business day;
(e) a “business day” means a calendar day, excluding Saturdays, Sundays and official public holidays;
(f) a “week” shall mean a calendar week or seven (7) days, whichever is applicable in the circumstances;
(g) a “month” shall mean a period of thirty (30) days;
(h) a “year” shall mean a period of three hundred and sixty five (365) days and a “calendar year” shall mean a year of the Gregorian calendar;
(i) a reference to the masculine gender includes the feminine and vice versa;
(j) the singular shall include the plural and vice versa;
(k) “dollar” or “$” is a reference to United States Dollars unless the contrary intention appears; and
(l) this Law includes any Regulations made under this Law;
(2) The headings in this Law shall not affect its interpretation.
(3) References in this Law to a body corporate include a company incorporated outside the DIFC.
(4) A reference in this Law to a Part, Chapter, Article or Schedule by number only, and without further identification, is a reference to the Part, Chapter, Article or Schedule of that number in this Law.
(5) A reference in an Article or other division of this Law to an Article by number or letter only, and without further identification, is a reference to the Article of that number or letter contained in the Article or other division of this Law in which that reference occurs.
(6) Unless the context otherwise requires, where this Law refers to an enactment, the reference is to that enactment as amended from time to time, and includes a reference to that enactment as extended or applied by or under another enactment, including any other provision of that enactment.
(7) References in this Law to writing, filing, instrument or certificate include any mode of communication that preserves a record of the information contained therein and is capable of being reproduced in tangible form, including electronic means.
2. Legislation in the DIFC
References to legislation and guidance in this Law shall be construed in accordance with the following provisions:
(a) Federal Law is law made by the federal government of the United Arab Emirates;
(b) Dubai Law is law made by the Ruler, as applicable in the Emirate of Dubai;
(c) DIFC Law is law made by the Ruler (including, by way of example, the Law), as applicable in the DIFC;
(d) the Law is the Data Protection Law, DIFC Law No. 5 of 2020 made by the Ruler;
(e) the Regulations are legislation made by the DIFCA Board of Directors under this Law and are binding in nature;
(f) the Enactment Notice is the enactment notice pursuant to which this Law is brought into force; and
(g) guidance is indicative and non-binding and may comprise (i) guidance made and issued by the Commissioner for the purposes of this Law; and (ii) any standard or code of practice issued by the DIFCA Board of Directors.
3. Defined terms
In the Law, unless the context indicates otherwise, the defined terms listed below shall have the corresponding meanings.
| Terms | Definitions |
|---|---|
| Applicable Law | means all applicable laws, statutes, codes, ordinances, decrees, rules, regulations, municipal by-laws, judgments, orders, decisions, rulings or awards of any government, quasi-government, statutory or regulatory body, ministry, government agency or department, court, agency or association of competent jurisdiction. |
| Binding Corporate Rules | Personal Data protection policies and procedures, aggregated or incorporated in a single written document, which regulate the transfer of Personal Data between members of a Group, legally bind such members to comply, and which contain provisions for the protection of such Personal Data. |
| Commissioner | the person appointed by the President pursuant to Article 43(1) of the Law to administer the Law. |
| Controller | any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data. |
| Court | the DIFC Court as established under Dubai Law. |
| Data Subject | the identified or Identifiable Natural Person to whom Personal Data relates. |
| DFSA | the Dubai Financial Services Authority. |
| DIFCA | the DIFC Authority established under Dubai law. |
| DIFC | the Dubai International Financial Centre. |
| DIFCA Board of Directors | the governing body of the DIFCA established under Dubai Law No. 9 of 2004 (as repealed and substituted by Dubai Law No. (5) of 2021). |
| DIFC Body | includes the Commissioner, DIFCA, DFSA, DIFC Courts, and any other person, body, office, registry or tribunal established under DIFC Laws or established upon approval of the President that is not revoked by this Law or any other DIFC Law. “DIFC Bodies” shall have a corresponding meaning. |
| DPO | a data protection officer appointed by a Controller (including a Joint Controller), or Processor to independently oversee relevant data protection operations in the manner set out in Article 16, 17, 18 and 19. |
| Filing System | any structured set of Personal Data that is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis. |
| Group | any group of entities that are related to each other by virtue of being Subsidiaries of the same Ultimate Holding Company or subsidiaries of any such Subsidiaries. Ultimate Holding Company and Subsidiary have the meaning given in the DIFC Companies Law, Law No. 5 of 2018 (as amended or updated). |
| High Risk Processing Activities | Processing of Personal Data where one (1) or more of the following applies: (a) Processing that includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a Data Subject or renders it more difficult for a Data Subject to exercise his rights; (b) a considerable amount of Personal Data will be Processed (including staff and contractor Personal Data) and where such Processing is likely to result in a high risk to the Data Subject, including due to the sensitivity of the Personal Data or risks relating to the security, integrity or privacy of the Personal Data; (c) the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or (d) a material amount of Special Categories of Personal Data is to be Processed. |
| Identifiable Natural Person | means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity (and “Identified Natural Person” is interpreted accordingly). |
| International Organisation | an organisation and its subordinate bodies governed by public international law, or any other body that is set up by, or on the basis of, an agreement between two (2) or more countries. |
| Joint Controller | any Controller that jointly determines the purposes and means of Processing with another Controller. |
| Law | this Data Protection Law 2020, Law No. 5 of 2020 as may be amended. |
| Personal Data | any information referring to an identified or Identifiable Natural Person. |
| Personal Data Breach | a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. |
| President | the President of the DIFC. |
| Process, Processed, Processes and Processing (and other variants) | any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on Personal Data by: (a) a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or (b) law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security. |
| Processor | any person who Processes Personal Data on behalf of a Controller. |
| Profiling | the automated Processing of Personal Data to evaluate the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the person’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements. |
| Registrar | the Registrar of Companies appointed pursuant to Article 6 of the Operating Law, DIFC Law No. 7 of 2018. |
| Regulations | has the meaning given in paragraph 2(e) of this Schedule 1. |
| Requesting Authority | has the meaning given in Article 28(1). |
| Ruler | the Ruler of the Emirate of Dubai. |
| Schedule | a schedule to the Law. |
| Special Categories of Personal Data | Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person. |
| Single Discrete Incident | has the meaning given in Article 12(11). |
| Sub-processor | a processor appointed by the Processor as set out in Article 24(2). |
| Substantial Public Interest | includes, but is not limited to: (a) administration of justice, including criminal and regulatory investigations; and (b) exercise of a function conferred on a person by Applicable Law. |
| Third Country | a jurisdiction other than the DIFC, whether in the UAE or elsewhere. |
| Third Party | any person authorised to Process Personal Data, other than the: (a) the Data Subject; (b) the Controller; (c) Joint Controller; (d) the Processor; or (e) Sub-processor. |
| UAE | the United Arab Emirates. |
SCHEDULE 2
The following table sets out administrative fines that may be applied for the corresponding contraventions of this Law. This list is not exhaustive and may be updated from time to time.
| Article | Contravention | Maximum Fine (USD) |
|---|---|---|
| 9 | Failing to comply with general requirements specified under Article 9 of the Law made for the purpose of this Law | $50,000 |
| 10 | Failure to comply with requirements for lawful Processing specified under Article 10 of the Law made for the purpose of this Law | $50,000 |
| 11 | Failure to comply with requirements for obtaining consent specified under Article 11 of the Law made for the purpose of this Law | $50,000 |
| 12 | Failure to comply with requirements for lawful Processing specified under Article 12 of the Law made for the purpose of this Law | $50,000 |
| 14(1) | Failure to comply with the requirements for accountability specified under Article 14(1) of the Law made for the purpose of this Law | $25,000 |
| 14(2) | Failing to implement and maintain technical and organisational measures to protect Personal Data in accordance with Articles 14(2) of the Law made for the purpose of this Law | $50,000 |
| 14(3) | Failure to comply with the requirements for accountability specified under Article 14(3) of the Law made for the purpose of this Law | $25,000 |
| 14(4) | Failure to comply with the requirements for accountability specified under Article 14(4) of the Law made for the purpose of this Law | $25,000 |
| 14(5) | Failure to comply with the requirements for accountability specified under Article 14(5) of the Law made for the purpose of this Law | $25,000 |
| 14(7) | Failing to register with the Commissioner in accordance with Article 14(7) | $25,000 |
| 15 | Failing to maintain records of any Personal Data Processing operations in accordance with Article 15 | $25,000 |
| 16 | Failing to appoint a DPO in accordance with Articles 16(2) and 16(3) of the Law made for the purpose of this Law | $50,000 |
| 20 | Failing to carry out a data protection impact assessment prior High Risk Processing Activities in accordance with Article 20 of the Law made for the purposes of this Law. | $20,000 |
| 22 | Failing to comply with the requirements specified under Article 22(1), 22(2), 22(5) or 22(6) of the Law made for the purpose of this Law | $25,000 |
| 23 | Failing to comply with the requirements specified under Article 23 of the Law made for the purpose of this Law | $25,000 |
| 24 | Failing to comply with the requirements specified under Article 24(1), 24(3) or 24(6) of the Law made for the purpose of this Law | $25,000 |
| 25 | Failing to comply with the requirements specified under Article 25 of the Law made for the purpose of this Law | $25,000 |
| 26 | Failing to comply with the requirements specified under Article 26 of the Law made for the purpose of this Law | $25,000 |
| 27 | Failing to comply with the requirements specified under Article 27 of the Law made for the purpose of this Law | $50,000 |
| 28 | Failing to comply with the requirements specified under Article 28 of the Law made for the purpose of this Law | $10,000 |
| 29 | Failing to comply with the requirements specified under Article 29 of the Law made for the purpose of this Law | $75,000 |
| 30 | Failing to comply with the requirements specified under Article 30 of the Law made for the purpose of this Law | $75,000 |
| 31 | Failing to comply with the requirements specified under Article 31 of the Law made for the purpose of this Law | $75,000 |
| 32(3) | Failing to comply with the requirements specified under Article 32(3) of the Law made for the purpose of this Law | $75,000 |
| 33 | Failing to comply with the requirements specified under Article 33 of the Law made for the purpose of this Law | $100,000 |
| 34 | Failing to comply with the requirements specified under Article 34 of the Law made for the purpose of this Law | $100,000 |
| 35 | Failing to comply with the requirements specified under Article 35 of the Law made for the purpose of this Law | $100,000 |
| 36 | Failing to comply with the requirements specified under Article 36 of the Law made for the purpose of this Law | $100,000 |
| 37 | Failing to comply with the requirements specified under Article 37 of the Law made for the purpose of this Law | $100,000 |
| 38 | Failing to comply with the requirements specified under Article 38 of the Law made for the purpose of this Law | $100,000 |
| 39 | Failing to comply with the requirements specified under Article 39 of the Law made for the purpose of this Law | $50,000 |
| 40 | Failing to comply with the requirements specified under Article 40 of the Law made for the purpose of this Law | $25,000 |
| 41 | Failing to report Personal Data Breach in accordance with Article 41 of the Law made for the purpose of this Law | $50,000 |
| 42 | Failing to report Personal Data Breach in accordance with Article 42 of the Law made for the purpose of this Law | $50,000 |
| 59 | Failing to comply with a direction in accordance with Article 59(4) of the Law | $75,000 |
| 65 | Failing to comply with the requirements specified under Article 65 of the Law made for the purpose of this Law | $75,000 |