DATA PROTECTION REGULATIONS

In force on 1 July 2020

CONTENTS

1. INTRODUCTION ................................................................................................................. 1
1.1 Application and interpretation .............................................................................................................. 1
1.2 References to writing ............................................................................................................................ 1

2. RECORDS ............................................................................................................................. 1
2.1 Records contents ................................................................................................................................... 1
2.2 Guidance ............................................................................................................................................... 2

3. NOTIFICATIONS ................................................................................................................ 3
3.1 Notifying the Commissioner ................................................................................................................. 3
3.2 Time for filing Notifications ................................................................................................................. 3
3.3 Fees ..................................................................................................................................................... 4

4. DPO CONTROLLER ASSESSMENT................................................................................ 4

5. TRANSFERS OUT OF THE DIFC ..................................................................................... 4

6. MEDIATION ......................................................................................................................... 4
6.1 Process of mediation ............................................................................................................................. 4

7. FINES ..................................................................................................................................... 5
7.1 Notice of fines....................................................................................................................................... 5
7.2 Notice of Objection ............................................................................................................................... 5
7.3 Application to the Court ....................................................................................................................... 5

APPENDIX 1 - FEES ................................................................................................................... 6

i
 DATA PROTECTION REGULATIONS

1. INTRODUCTION

These Regulations may be cited as the “Data Protection Regulations”.

1.1 Application and interpretation

1.1.1 In these Regulations a reference to the Law is a reference to the Data Protection Law 2020.

1.1.2 These Regulations apply to any person to whom the Law applies.

1.1.3 Defined terms are as set out in the Law and are identified throughout these Regulations by the capitalisation
of the initial letter of a word or phrase. Where capitalisation of the initial letter is not used, an expression has
its natural meaning.

1.1.4 Where reference is made in these Regulations to a statutory provision, it is a reference to the provision as
amended, and includes a reference to that provision as extended or applied by or under any other provision,
unless the contrary intention appears.

1.1.5 Unless the contrary intention appears:

(a) words in these Regulations importing the masculine gender include the feminine and words
importing the feminine gender include the masculine; and

(b) words in these Regulations in the singular include the plural, and words in the plural include the
singular; and

1.1.6 The Rules of interpretation in the Law apply to these Regulations.

1.2 References to writing

1.2.1 If a provision in these Regulations refers to a communication, notice, agreement of other document ‘in
writing’ then, unless the contrary intention appears, it means in legible form and capable of being reproduced
on paper, irrespective of the medium used. Expressions related to writing must be interpreted accordingly.

1.2.2 This does not affect any other legal requirements which may apply in relation to the form or manner of
executing a document or agreement.

2. RECORDS

2.1 Records contents

For the purposes of Article 15(1) of the Law, a Controller must record at least the following information in
relation to its Personal Data Processing operations:

(a) description of the Personal Data Processing being carried out;

(b) an explanation of the purpose for the Personal Data Processing;

(c) the Data Subjects or class of Data Subjects whose Personal Data is being processed;

(d) a description of the class of Personal Data being processed; and

(e) a list of the jurisdictions to which Personal Data may be transferred by the Controller, along with
an indication as to whether the particular jurisdiction has been assessed as having adequate levels
of protection for the purposes of Articles 26 and 27 of the Law.

1
 DATA PROTECTION REGULATIONS

2.2 Guidance

2.2.1 With respect to Regulation 2.1.1(b) the purposes for which Personal Data may be Processed will vary but
includes at least one (1) or more of the following:

(a) accounting and auditing;

(b) administration of justice;

(c) administration of membership records;

(d) advertising, marketing and public relations for the Controller itself;

(e) advertising, marketing and public relations for others;

(f) benefits, grants and loans administration;

(g) consultancy and advisory services;

(h) credit referencing;

(i) debt administration and factoring;

(j) education;

(k) information and data bank administration;

(l) insurance administration;

(m) legal services;

(n) licensing and registration;

(o) pastoral care;

(p) pensions administration;

(q) policing;

(r) private investigation;

(s) property management;

(t) provision of financial services;

(u) research; and

(v) staff administration.

2.2.2 With respect to Regulation 2.1.1(c), where Personal Data of multiple Data Subjects is being processed, a
Controller may instead of listing individual Data Subjects, record the class of Data Subject involved. In such
a case, the Controller may use the following, or other similar, classes:

(a) staff, including agents, temporary and casual workers;

(b) clients and customers;

(c) suppliers;

2
 DATA PROTECTION REGULATIONS

(d) members;

(e) complainants, correspondents and enquirers;

(f) relatives and associates of the Data Subject; and

(g) advisors, consultants and other professional experts.

3. NOTIFICATIONS

3.1 Notifying the Commissioner

3.1.1 For the purposes of Articles 14(7) and 14(8) of the Law, a Controller or Processor must notify the
Commissioner of the following Personal Data Processing operations or set of such operations including but
not limited to:

(a) the Processing of Personal Data;

(b) Special Category Data; and

(c) the transfer of Personal Data to a recipient outside of the DIFC which is not subject to laws and
Regulations which ensure an adequate level of protection.

3.1.2 When a Controller or Processor gives a notification to the Commissioner in accordance with Regulation
3.1.1, the notification must contain the following information:

(a) a general description of the Personal Data Processing being carried out;

(b) an explanation of the purpose for the Personal Data Processing;

(c) the Data Subjects or class of Data Subjects whose Personal Data is being processed;

(d) a description of the class of Personal Data being processed; and

(e) a statement of jurisdictions to which Personal Data will be transferred by the Controller, along with
an indication as to whether the particular jurisdiction has been assessed as having an adequate level
of protection for the purposes of Articles 26 and 27 of the Law.

3.1.3 The notification required by Regulation 3.1.1 must be provided to the Commissioner:

(a) as soon as possible and in any event within fourteen (14) days of commencing the Personal Data
Processing referred to in Regulation 3.1.1;

(b) on every anniversary of the initial notification, where the Personal Data Processing is to continue
in the subsequent year; and

(c) as soon as possible and in any event within fourteen (14) days upon any Personal Data Processing
being processed in a manner different to that described in the initial notification.

3.2 Time for filing Notifications

Where the Law requires a notification to be filed with the Commissioner, the notification must be filed, in
the absence of a time limit being stated in the Law or these Regulations, within fourteen (14) days of the
date of the happening of the event to which the notification relates.

3
 DATA PROTECTION REGULATIONS

3.3 Fees

For the purposes of Article 14(8)(b) of the Law, a Controller or Processor must pay any applicable fees in
respect of matters set out in Appendix 1.

4. DPO CONTROLLER ASSESSMENT

For the purposes of Article 19(3), the Commissioner has approved and published the format, required content
and deadline for submission of Annual Assessments on the Data Protection section of the DIFC website
(difc.ae), which may be updated from time to time.

5. TRANSFERS OUT OF THE DIFC

For the purposes of Article 27(2)(c), the Commissioner has approved and published standard contractual
clauses that may be used for transfers outside the DIFC to a non-adequate jurisdiction. These clauses may
be updated from time to time, and are available on the Data Protection section of the DIFC website (difc.ae).

6. MEDIATION

6.1 Process of mediation

6.1.1 For the purposes of Article 60 of the Law, a person may file a complaint with the Commissioner by lodging
a written notice providing the following information:

(a) full name and address of the person making the complaint;

(b) the Controller whom the person believes has contravened the Law;

(c) a detailed statement of facts which the person believes gives rise to contravention of the Law; and

(d) the relief sought by the person making the complaint.

6.1.2 Upon receiving a complaint lodged under Article 60 of the Law, the Commissioner may follow such
practices and procedures in the mediation of the claim that will, in the view of the Commissioner, lead to the
most timely, fair and effective resolution of the claim.

6.1.3 At the conclusion of the mediation process, should the Commissioner determine to issue a direction requiring
a Controller to do any act or thing in accordance with Article 60(4) of the Law, he will do so by issuing a
notice in writing setting out:

(a) the act or thing that the Controller is required to do; and

(b) the time within which, or before which, the Controller is required to do that act or thing.

4
 DATA PROTECTION REGULATIONS

7. FINES

7.1 Notice of fines

7.1.1 Where the Commissioner decides to impose a fine pursuant to Article 62(2) of the Law, he will give a
Controller or Processor written notice in accordance with Notice 1 in Appendix 2:

(a) alleging that reason that the Controller or Processor has committed the contravention and giving
particulars of the facts alleged by the Commissioner to constitute a contravention;

(b) setting out the fine imposed by the Commissioner in respect of the contravention;

(c) specifying the period during which the fine may be paid; and

(d) providing an address for filing a notice of objection.

7.1.2 Where a fine is issued pursuant to Article 62(3), the Commissioner will give written notice in substantially
the same format as Notice 1 in Appendix 2 and as described in Regulation 7.1.1.

7.2 Notice of Objection

7.2.1 Where a Controller or Processor wishes to file a notice of objection to an administrative fine issued pursuant
to Article 62(2) directly to the Commissioner, it must be set out in accordance with Notice 2 of Appendix 2
and must detail every matter which the person believes ought to be taken into account by the Commissioner
in determining whether to accept the objection in full or alter the fine amount.

7.2.2 Where a Controller or Processor wishes to file a notice of objection to an administrative fine issued pursuant
to Article 62(3) directly to the Commissioner, it must be set out in accordance with Notice 2 of Appendix 2
and must detail every matter which the person believes ought to be taken into account by the Commissioner
in determining whether to accept the objection in full or alter the fine amount.

7.2.3 The notice of objection filed under Regulation 7.2.1 or 7.2.2 shall constitute the representations of the
relevant person and sets out every matter which the person believes ought to be taken into account by the
Registrar in making its decision.

7.2.4 Where a fine is imposed under Article 62 of the Law and the person files a notice of objection within the
period specified, the Commissioner may not recover the fine as a debt due until the objection is resolved.

7.2.5 If at the end of the period for payment specified in the notice imposing the fine, the Controller has not paid
the full amount of the fine and has not filed a notice of objection, the Commissioner may apply to the Court
for payment of the fine, or so much of the fine as is not paid, and any further orders the Court sees fit for
recovery of the fine, including any orders for costs.

7.2.6 The Commissioner may withdraw a notice imposing a fine whenever he considers it appropriate.

7.2.7 The administrative fines are set out in Schedule 2 of the Law.

7.3 Application to the Court

7.3.1 Subject to Regulation 5.3.2, the Commissioner may recover the outstanding amount of the fine as a debt due
if he has confirmed his decision to impose a fine and the fine remains unpaid, in full or in part.

7.3.2 The Registrar shall not recover the outstanding amount of the fine as a debt due under Regulation 7.3.1,
where the person to whom a fine has been imposed makes an application to the Court within thirty (30) days
of the date on which the Commissioner confirms his decision, and the Court subsequently determines that
the fine should not be payable.

5
 DATA PROTECTION REGULATIONS

APPENDIX 1 - FEES

1.1 Table of fees

Category
Upon receipt by the Commissioner of Data Protection of:
I II III
Registration (Notification) $1,250 $750 $250
Annual renewal of the registration $500 $250 $100
Amendments to the registrable particulars of the notification $100 $50 $10
Notification to inform the Commissioner of Data Protection of not
Nil Nil Nil
Processing Personal Data
Amendments to contact details Nil Nil Nil

1.2 Notes:

1.2.1 Category I includes entities regulated by the DFSA;

1.2.2 Category II includes DFSA non-regulated entities, except retail; and

1.2.3 Category III includes retail entities.

6
 DATA PROTECTION REGULATIONS

APPENDIX 2 - NOTICES

NOTICE 1

COMMISSIONER OF DATA PROTECTION

NOTICE OF ADMINISTRATIVE FINE PURSUANT TO ARTICLE 62 OF THE DATA PROTECION LAW

To: Full name and address of Controller or Processor receiving Notice

1. The Commissioner of Data Protection considers that you have contravened {provisions alleged to have been
contravened}.

2. The particulars of the facts giving rise to this contravention/these contraventions are as follows:

{statement of the facts constituting the contravention}.

3. The main purposes of the imposition of an administrative fine is to minimise or offset any benefit a person
may obtain from non-compliance with the Data Protection Law 2020, and to promote high standards of
conduct and a culture of compliance by deterring persons from committing contraventions. Taking into
account these purposes, the facts set out in paragraph 2 of this Notice of Administrative Fine and the general
circumstances of this matter, the following fine is imposed:

{statement of each contravention and fine imposed}.

4. This fine may be paid at any time before 5pm on {date} by forwarding payment to {address}.

5. Should you pay this fine prior to 5pm on {date}, then no proceedings will be commenced by the
Commissioner of Data Protection against you in respect of the contraventions the subject of this notice.
However, should you continue to be in contravention of the Law, the Commissioner may take action in
respect of any obligation to do or refrain from doing any act or thing.

6. If you object to the imposition of this fine, you may file a notice of objection by sending or delivering such
a notice in the form attached, to the following address:

{address}

7. The notice of objection must contain every matter you wish the Commissioner of Data Protection to take
into account in determining whether to commence proceedings in the Court. The notice of objection must
be received by the Commissioner of Data Protection before 5pm on {date}. Should you file a notice of
objection, the Commissioner of Data Protection will take steps with a view to immediately determining
whether to commence proceedings against you for payment of the fine.

8. Should you neither pay the full amount of the fine, nor file a notice of objection before 5pm on {date}, then
the Commissioner of Data Protection may apply to the Court for payment of so much of the fine as remains
unpaid, together with costs and any other remedies set out in the Data Protection Law 2020.

9. Should no notice of objection be filed in respect of the imposition of this fine, then the Commissioner of
Data Protection may publish details of the matter to which this Notice of Administrative Fine relates.

……………………………………………… ………………………
Name: {Commissioner of Data Protection Officer} Date

Delegate of the Commissioner of Data Protection

7
 DATA PROTECTION REGULATIONS

NOTICE 2

NOTICE OF OBJECTION – Administrative Fine

To: Commissioner of Data Protection

1. I refer to the Notice of Administrative Fine, the details of which are as follows:

{Date of Notice of Administrative Fine}

{Controller or Processor to whom such Notice was addressed}

{Date for lodgement of notice of objection as stated in Notice of Administrative Fine}

2. I object to the imposition of the fine or so much of the fine that relates to {the details of aspects disputed}.

3. {If the Controller or Processor to whom the Notice of Administrative Fine is addressed is not the responsible
Controller or Processor: I hold the position of {position} within {Controller or Processor to whom Notice
of Administrative Fine is addressed} and I am authorised on its behalf to file this notice of objection}.

4. In determining whether to {commence proceedings in the Court} I believe that the Commissioner of Data
Protection ought to take into account the following matters:

{detailed statement of relevant matters}

……………………………………………… ………………………
Name: Date

8
 DATA PROTECTION REGULATIONS

APPENDIX 3 - ADEQUATE JURISDICTIONS

1.1 List of adequate jurisdictions under Article 26(2) of the Law

Austria Portugal
Belgium Romania
Bulgaria Slovakia
Croatia Slovenia
Cyprus Spain
Czech Republic Sweden
Denmark United Kingdom
Estonia Iceland
Finland Liechtenstein
France Norway
Greece Andorra
Germany Argentina
Hungary Canada
Ireland Faroe Islands
Italy Guernsey
Latvia Isle of Man
Lithuania Japan
Luxembourg Jersey
Malta New Zealand
Netherlands Switzerland
Poland Uruguay
Abu Dhabi Global Market

1.2 Guidance:

1.2.1 Pursuant to Article 26(2) of the Law, the Commissioner may from time to time approve other jurisdictions,
in addition to those listed in 1.1 above, as having an adequate level of protection for Personal Data.

1.2.2 Privacy Shield, which replaced Safe Harbor in 2016, is a mechanism recognised by the European
Commission for transferring personal data between the European Union / European Economic Area and the
United States of America only. The DIFC does not recognise it for this reason, as DIFC has no such
agreement in place for transfers of personal data from the DIFC to the United States of America. Therefore
Privacy Shield cannot be relied upon for transfers from the DIFC to the United States of America.