26. Transfers out of the DIFC: adequate level of protection
(1) Processing of Personal Data that involves the transfer of Personal Data from the DIFC to a Third Country or to an International Organisation may take place only if:
(a) an adequate level of protection for that Personal Data is ensured by Applicable Law, as set out in Articles 26(2) and (3), including with respect to onward transfers of Personal Data; or
(b) it takes place in accordance with Article 27.
(2) For the purposes of Article 26(1), the Commissioner may determine from time to time that a Third Country, a territory or one (1) or more specified sectors within a Third Country, or an International Organisation ensures an adequate level of data protection, taking into account factors including:
(a) the rule of law, the general respect for individual's rights and the ability of individuals to enforce their rights via administrative or judicial redress;
(b) the access of a public authority to Personal Data;
(c) the existence of effective data protection law, including rules on the onward transfer of
Personal Data to a Third Country or International Organisation;
(d) the existence and functioning of one (1) or more independent, competent data protection or similar supervisory authorities with adequate enforcement powers; and
(e) international commitments and conventions binding on such Third Country or International Organisation and its membership of any multilateral or regional organisations.
(3) The Commissioner may, at his discretion, make such a determination that any Third Country, a territory or one (1) or more specified sectors within a Third Country, or an International Organisation ensures an adequate level of data protection based on adequacy decisions made by other competent data protection authorities where such decisions have taken into account the same factors listed at Article 26(2)(a) to (e) above.
(4) The Commissioner shall pass Regulations to provide details of his determinations under Article 26(2) and 26(3).(5) The Commissioner may repeal, amend or suspend the adequacy status of any Third Country, territory or one (1) or more specified sectors within a Third Country, or International Organisation determined under Article 26(2). In such circumstances, the Commissioner will issue amended Regulations if necessary.
(6) Processing in accordance with this Article 26 does not require any specific authorisation or notification to the Commissioner other than as required under any other provision of this Law which may apply to such Processing.27. Transfers out of the DIFC in the absence of an adequate level of protection
(1) A transfer or a set of transfers of Personal Data to a Third Country or an International Organisation may take place on condition that:
(a) the Controller or Processor in question has provided appropriate safeguards (as described in Article 27(2)), and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available;(b) one of the specific derogations in Article 27(3) applies; or
(c) the limited circumstances in Article 27(4) apply.
(2) The appropriate safeguards referred to in Article 27(1)(a) may be provided for by: (a) a legally binding instrument between public authorities;
(b) Binding Corporate Rules, subject to Article 27(6);
(c) standard data protection clauses as adopted by the Commissioner in accordance withRegulations setting out a procedure for developing such clauses;
(d) an approved code of conduct pursuant to Article 48 together with binding and enforceable commitments of the Controller or Processor in the Third Country or the International Organisation to apply the appropriate safeguards, including regarding a Data Subject’s rights; or
(e) an approved certification mechanism pursuant to Article 50 together with binding and enforceable commitments of the Controller or Processor in the Third Country or the International Organisation to apply the appropriate safeguards, including regarding Data Subjects' rights.
(3) The derogations referred to in Article 27(1)(b) are:
(a) a Data Subject has explicitly consented to a proposed transfer, after being informed of possible risks of such transfer due to the absence of an adequacy decision or appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between a Data Subject and Controller or the implementation of pre-contractual measures taken in response to the Data Subject's request;
(c) the transfer is necessary for the conclusion or performance of a contract that is in the interest of a Data Subject between a Controller and a Third Party;
(d) the transfer is necessary for reasons of Substantial Public Interest;
(e) the transfer is necessary or legally required in the interests of the DIFC, including in the interests of the DIFC Bodies relating to the proper discharge of their functions;
(f) the transfer is necessary for the establishment, exercise or defence of a legal claim;
(g) the transfer is necessary in order to protect the vital interests of a Data Subject or of other persons where a Data Subject is physically or legally incapable of giving consent;
(h) the transfer is made in compliance with Applicable Law and data minimisation principles, set out in Article 9(1)(e), from a register that is:
(i) intended to provide information to the public; and
(ii) open for viewing either by the public in general or by any person who can demonstrate a legitimate interest;
(i) subject to Article 28, the transfer is:
(i) necessary for compliance with any obligation under Applicable Law to which the
Controller is subject; or(ii) made at the reasonable request of a regulator, police or other government agency or competent authority;
(j) subject to international financial standards, the transfer is necessary to uphold the legitimate interests of a Controller recognised in international financial markets, except where such interests are overridden by the legitimate interests of the Data Subject relating to the Data Subject's particular situation; or
(k) the transfer is necessary to comply with applicable anti-money laundering or counter- terrorist financing obligations that apply to a Controller or Processor or for the prevention or detection of a crime.
(4) Where a transfer could not be based on one of the provisions in this Article 27(1) to (3) or Article26, such transfer to a Third Country or an International Organisation may take place only if: (a) the transfer is not repeating or part of a repetitive course of transfers;
(b) concerns only a limited number of Data Subjects;
(c) is necessary for the purposes of compelling legitimate interests pursued by the Controller that are not overridden by the interests or rights of the Data Subject; and
(d) the Controller has completed a documentary assessment of all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of Personal Data.
(5) A Controller shall inform the Commissioner of any transfer made pursuant to Article 27(4) and shall, in addition to providing the information referred to in Articles 29 or 30, as applicable, inform the Data Subject of the transfer and the compelling legitimate interests.
(6) A public authority subject to DIFC law may not rely on Articles 27(3)(a), (b) and (c), or on Article 27(4).(7) A Controller or Processor may rely on its existing Binding Corporate Rules subject to the following: (a) relevant Binding Corporate Rules may only be used for lawful transfers within the Controller's or the Processor's respective Group (and, in the case of the Processor, only where permitted by the Controller); and
(b) relevant Binding Corporate Rules must have been reviewed and approved by the Commissioner.
(8) A Controller or Processor may make a request to the Commissioner for approval of its Binding Corporate Rules that have been approved by a competent data protection or similar supervisory authority in any jurisdiction to which Article 26(2) applies, and the Commissioner shall approve or reject such request, which shall include:
(i) a full copy of its Binding Corporate Rules and confirmation as to whether such Binding Corporate Rules have been approved by any competent data protection authority;
(ii) details of the transfers it intends to make or receive in reliance on the Binding Corporate Rules; and
(iii) where the Binding Corporate Rules operate on the basis that members of the Controller's or Processor’s Group (including the Controller or Processor) will bind other members of the Group, such as by way of power of attorney, full evidence of all valid instruments necessary to create such powers to bind should also be provided.(9) If a set of Binding Corporate Rules is amended at any time, a Controller or Processor shall provide a revised copy to the Commissioner without delay, in a form that clearly shows all edits. The Commissioner may approve or reject the revised Binding Corporate Rules. If the revised Binding Corporate Rules are rejected then the Controller or Processor may no longer rely on them.
(10) A Controller or Processor shall confirm in writing annually to the Commissioner that an approved set of Binding Corporate Rules remains in the same form and is used to facilitate the same transfers as approved.
(11) The Commissioner may provide guidance or make Regulations regarding the procedure for approving or rejecting and suggested contents of Binding Corporate Rules, and may require a Controller or Processor to provide evidence of any matter relating to Binding Corporate Rules.28. Data sharing
(1) Subject to any other obligations under this Law and, in particular, a Controller’s or Processor’s obligations under Part 2 regarding accountability, transparency and compliance with general data protection principles or Part 4 regarding transfers out of the DIFC, where a Controller or Processor receives a request from any public authority over the person or any part of its Group ("a Requesting Authority") for the disclosure and transfer of any Personal Data, it should:
(a) exercise reasonable caution and diligence to determine the validity and proportionality of the request, including to ensure that any disclosure of Personal Data in such circumstances is made solely for the purpose of meeting the objectives identified in the request from the Requesting Authority;
(b) assess the impact of the proposed transfer in light of the potential risks to the rights of any affected Data Subject and, where appropriate, implement measures to minimise such risks, including by redacting or minimising the Personal Data transferred to the extent possible or utilising appropriate technical or other measures to safeguard the transfer; and
(c) where reasonably practicable, obtain appropriate written and binding assurances from the Requesting Authority that it will respect the rights of Data Subjects and comply with the general data protection principles set out in Part 2 in relation to the Processing of Personal Data by the Requesting Authority.
(2) A Controller or, as applicable, its Processor(s) or any Sub-processor(s), having provided (where possible under Applicable Law) reasonable notice to the Controller, may disclose or transfer Personal Data to the Requesting Authority where it has taken reasonable steps to satisfy itself that:
(a) a request by a Requesting Authority referred to in Article 28(1) is valid and proportionate; and
(b) the Requesting Authority will respect the rights of Data Subjects in the Processing of any Personal Data transferred to it by the Controller pursuant to a request under Article 28(1).
(3) A Controller or Processor may consult with the Commissioner in relation to any matter under this Article 28.