"The result of the processing and mishandling –voluntary or involuntary- of personal data can have significant consequences, including credit card and identity theft. It is crucial that individuals’ right to privacy is protected by establishing effective data protection laws and enforcing legal safeguards to secure and protect personal data and its processing. Today governments and regulators world-wide, with the EU countries in the fore-front, are increasingly calling for measures to protect privacy and the adoption of data protection regimes to enforce such safeguards."
- Circular No. 1 of 27 May 2007 which has already been mentioned as it appears to serve the same purpose as a commencement order in England; and
- Circular No. 2 of 27 Aug 2009.
"Data Controllers must ensure that Personal Data which they Process is:
(a) Processed fairly, lawfully and securely;
(b) Processed for specified, explicit and legitimate purposes in accordance with the Data Subject’s rights and not further Processed in a way incompatible with those purposes or rights;
(c) adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further Processed;
(d) accurate and, where necessary, kept up to date; and
(e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data was collected or for which they are further Processed."
As in the UK there are special provisions for the processing of sensitive personal data which is defined as personal data "revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life."
Sensitive Personal Data
Sensitive personal processing requires a permit from the Commissioner under art 10 (2) of the Law unless the requirements of art 10 (1) are met. The procedure for obtaining such a permit are set out in Regs 2 to 4.
Data Subjects' Rights
Data subjects have the following rights under art 17 (1) of the Law:
"(a) confirmation as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the Recipients or categories of Recipients to whom the Personal Data are disclosed;
(b) communication to him in an intelligible form of the Personal Data undergoing Processing and of any available information as to its source; and
(c) as appropriate, the rectification, erasure or blocking of Personal Data the Processing of which does not comply with the provisions of the Law."
In addition, they are entitled
"(a) to object at any time on reasonable grounds relating to his particular situation to the Processing of Personal Data relating to him; and
(b) to be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses."
Transfer of Data Abroad
Art 11 (1) prohibits the transfer of personal data outside the DIFC without a permit from the Commissioner under art 12 except to a country or territory listed by the Commissioner that offers comparable protection for personal data. The latest list includes the countries of the European Economic Area including the United Kingdom, Channel Islands and the Isle of Man and, interestingly, the USA to companies that comply with the Commerce Department's "Safe Harbor" Policy. Reg 5 of the Regulations sets out the procedure for obtaining a permit for the transfer of personal data outside the DIFC.
The Commissioner has very extensive powers of investigation and enforcement under art 25 (3). These include the power to fine under art 25 (3) (f) and to initiate a claim for compensation under art 35 for contravention of the law to the detriment of a data subject under art 26 (3) (g). Data subjects may complain in the first instance to the Commissioner under art 33 (1) who may mediate between the data subject and data controller under art 33 (2). Data controllers may appeal from the Commissioner to the DIFC Court under art 34 (1). The DIFC Court is, of course, a common law English language court before which I and other members of the English Bar can appear.
Further information about data protection in the DIFC can be obtained from the The Data Protection Administrator at the
Dubai International Financial Centre Authority
Level 14, The Gate
PO Box 74777,
Dubai, United Arab Emirates
Tel : +971 4 362 2623
Fax: +971 4 362 2656
Should you require further information or advice in a specific case or representation in a mediation or appeal or application to the DIFC Court, do not hesitate to call me on 0800 862 0055 if you are in the UK or use my contact form. As you can see data protection has been one of my interests since 1984.