DIFC Data Protection Law 2020 – PART I


The new Data Protection Law of 2020 (DIFC Law No. 5 of 2020) (the “New Law”) enacted by the DIFC came into force on 1st July, 2020. The New Law repeals the existing DIFC Data Protection Law (Law No. 1 of 2007 (as amended) (“Old Law”)). The provisions set out in the New Law enhance the existing legal framework on data protection in the DIFC and are closely aligned with the EU’s General Data Protection Regulation (GDPR).

In Part – I of this article, we will be explaining in detail the: (i) applicability of the New Law; (ii) lawful grounds for a Controller or Processor to process Personal Data; (iii) Special Categories Personal Data and the lawful grounds for processing the same; and (iv) rights available to data subjects under the New Law.

Applicability of the New Law:

The New Law includes within its scope:

  • Processing of Personal Data carried out by either a Controller or a Processor incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC.
  • The New Law also applies to regular, formal, Processing activities in the DIFC, regardless of whether the Controller or Processor undertaking the Processing is incorporated in the DIFC.
  • The New Law also applies for processing of Personal Data through automated means.

However, the New Law excludes processing of personal data by an individual for private use or non-commercial purposes.

Lawfulness of Processing Personal Data:

  • Free and explicit consent: The customer of the Controller or Processor, i.e. the data subject, needs to provide free and clear consent to the Controller or Processor for processing his data. The consent has been given through a clear affirmative act showing an unambiguous indication of consent, if it is to be relied on as a basis for processing. Appropriate and proportionate measures should be implemented to assess the ongoing validity of the consent, manage the recording of consent and the withdrawal of consent, and that periodic evaluations of the same are conducted.
  • Performance of contract: Controller or Processor can process the Personal Data of data subjects when it is necessary to perform the contract to which the data subject has consented to.
  • Compliance with the laws: Personal Data can be processed when it necessary to comply with the applicable laws which governs the Controller or Processor.
  • Protection of Vital Interest: GDPR explains that the term ‘vital interest’ means a situation which is necessary for the protection of life of the data subjects or other people. This explanation has not been provided in the New Law. However, a fair assumption can be made that Personal Data can be processed under this ground.
  • Public Interest: GDPR has provided the explanation that Personal Data that is vital for the public interest can be processed. For example, processing of Personal Data for COVID-19 pandemic may be construed under this ambit. This explanation has not been provided in the New Law. However, a fair assumption can be made that Personal Data can be processed under this ground.
  • Legitimate Interest: A Controller or Processor can process Personal Data for its legitimate interest such as marketing purposes. Under the New Law, a data subject has the right to consent to such processing or object or withdraw the consent as well.

Special Categories of Personal Data:

Special Categories Personal Data includes data related health, genetics, biometrics, sexual preferences etc. To process such personal data, a Controller or Processor must have any one of the following grounds:

  • Express consent of the data subject;
  • Necessary to fulfil Controller or Processor’s obligations in relation to employment;
  • Protection of vital interest of data subjects (as explained above);
  • The Special Category Personal Data is already available in the public domain;
  • Fulfilment of obligations of a foundation or non-profit organization for its legitimate activities for its members;
  • To represent or defend against legal claims;
  • For compliance with applicable laws governing the Controller or Processor;
  • Necessary for the protection of public interest (as explained above);
  • To comply with the Anti-Money Launder and Counter Terrorism Financing laws;
  • Necessary to protect rights of the data subject against dishonesty, fraud or malpractice in the banking and finance sector;
  • Processing is necessary for the reasonable protection of the data subject’s rights.

A point to be noted here is that in the GDPR, a Controller or Processor can process Special Categories Personal Data in the events of cross-border life threats such as the COVID-19 pandemic. Even though, this lawful ground has not been expressly included in the New Law, a reasonable assumption can be made that in such pandemic situations a Controller or Processor can process Special Categories Personal Data for protection of ‘vital interest’.

Rights of the Data Subjects:

Under the New Law, the data subjects have the following rights:

  1. Right to withdraw consent to any given time;
  2. Right to access the Personal Data;
  3. Right to to remove the Personal Data available with the Controller or Processor;
  4. Right to rectify any errors in the Personal Data and to keep the Personal Data up to date;
  5. Right to object to the processing of Personal Data for the purposes of the Controller or Processor;
  6. Right to restrict the processing of the Personal Data at any given time;
  7. Right to transfer the Personal Data from one Controller or Processor to another Controller or Processor;
  8. Right to object or restrict or withdraw consent against processing of Personal Data by automated mechanisms (ex. AI or Blockchain) and targeted profiling of such data subjects for third-party advertisements; and
  9. Right to non-discrimination from other data subjects when a data subject exercises any of the above-mentioned rights in terms of pricing or services rendered by the Controller or Processor.

In practice, a data subject can exercise any of the above-mentioned rights by contacting the Controller or Processor at the email ID or address given in the terms and conditions which apply to the data subject or by contacting the Data Protection Officer of such Controller or Processor. Once a data subject exercises any of the above-mentioned rights, the Controller or Processor has to immediately take action upon becoming aware of such information. Failure to do so, will attract fines and penalties on such Controller or Processor, which shall be discussed in detail in Part – II of this article.

In Part II of this article, we shall explain in detail (i) High Risk Processing Activities; (ii) Data Protection Officer; (iii) Data Protection Impact Assessment; (iv) Notification of breach in privacy; and (v) fines and penalties that are imposed under the New Law.


ADV. Shayan Dasgupta
Corporate & Commercial – M&A | FinTech, Blockchain & AI