32. Right to withdraw consent
(1) Where the basis for the Processing of Personal Data is consent under Article 10(1)(a) or under Article 11(1)(a), the Data Subject may withdraw consent at any time by notifying the Controller in accordance with Article 12(5). Where a Controller has not complied with Article 12(5) a Data Subject may notify the Controller by any reasonable means.
(2) The right to withdraw consent is an absolute right available to a Data Subject if the basis for the
Processing of the Data Subject’s Personal Data is consent under Article 10(1)(a) or Article 11(1)(a).
(3) Upon the exercise of a Data Subject's right to withdraw consent, a Controller must comply with Article 22 and must cease Processing the Personal Data as soon as reasonably practicable, and ensure that any Processors do the same.33. Rights to access, rectification and erasure of Personal Data
(1) Upon request, a Data Subject has the right to obtain from a Controller without charge and within one (1) month of the request:
(a) confirmation in writing as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed;
(b) a copy of the Personal Data undergoing Processing in electronic form and of any available information as to its source, including up-to-date information corresponding with the information requirements set out in Articles 29 and 30; and
(c) subject to Article 33(4), the rectification of Personal Data unless it is not technically feasible to do so.
(2) Subject to Article 33(3), the Data Subject has the right to require the Controller to erase the Data
Subject's Personal Data where:
(a) the Processing of the Personal Data is no longer necessary in relation to the purposes for which it was collected;
(b) a Data Subject has withdrawn consent to the Processing where consent was the lawful basis for Processing and there is no other lawful basis, provided that in such circumstances the Controller must comply with Article 22;
(c) the Processing is unlawful or the Personal Data is required to be deleted to comply with Applicable Law to which the Controller is subject; or(d) the Data Subject objects to the Processing and there is no overriding legitimate grounds for the Controller to continue with the Processing.
(3) The Controller is only required to comply with a request by a Data Subject to erase Personal Data where:
(a) one of the conditions in Article 33(2) applies; and
(b) subject to Article 33(4), the Controller is not required to retain the Personal Data in compliance with Applicable Law to which it is subject or for the establishment or defence of legal claims.(4) Where rectification or erasure of Personal Data is not feasible for technical reasons, then the Controller is not in violation of this Law for failing to comply with a request for rectification or erasure of the Personal Data, in accordance with Articles 33(1)(c), 33(2)(a) or Article 33(2)(d) as applicable, if:
(a) the Controller collected the Personal Data from the Data Subject; and
(b) the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that rectification or erasure (as the case may be) of the Personal Data at the request of the Data Subject would not be feasible.
(5) Where a Data Subject suffers adverse effects as a result of the inability of a Controller to rectify Personal Data and where the need for rectification was not caused by the Data Subject's own provision of inaccurate data, the Controller shall provide all reasonable assistance to the Data Subject to enable the Data Subject to take steps to mitigate the adverse effects.
(6) A Controller shall direct all recipients and Processors to rectify or erase Personal Data where the respective right is properly exercised or to cease Processing and return or erase the Personal Data where the right to object is validly exercised. In such circumstances, Article 22 applies to the erasure of the Personal Data by both the Controller and the Processor.
(7) If a Data Subject request under Article 33(1) is particularly complex, or requests are numerous, the Controller may send notice to the Data Subject, within one (1) month, to increase the period for compliance by a further two (2) months citing the reasons for the delay.
(8) Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request, providing written confirmation to the Data Subject reasons for the refusal.
(9) A Controller must be able to demonstrate to the Commissioner upon request that a Data Subject’s request made in accordance with Article 33(8) is manifestly unfounded or excessive.
(10) If a Controller has reasonable doubts as to the identity of a Data Subject asserting a right under this Article 33, it may require the Data Subject to provide additional information sufficient to confirm the individual’s identity. In such cases, the time period for complying with the Data Subject request does not begin until the Controller has received information or evidence sufficient to reasonably identify that the person making the request is the Data Subject.
(11) Where a Controller complies with a request under Article 33(1)(b) it shall not disclose the Personal Data of other individuals in a way that may infringe their rights under Applicable Law and the Controller may redact or otherwise obscure Personal Data relating to such other individuals. Where the Data Subject's request is received by electronic means, and unless otherwise requested by the Data Subject, the information may be provided in a commonly used electronic form.
(12) The information to be supplied pursuant to a request under this Article 33 must be supplied by reference to the data in question at the time the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request.
(13) Without derogating from the requirements on DIFC Bodies as set out in Article 65(2), a Controller may restrict, wholly or partly, the provision of information to the Data Subject under Article 33(1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the Data Subject, a necessary and proportionate measure to:
(a) avoid obstructing an official or legal inquiry, investigation or procedure;
(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c) protect public security;
(d) protect national security; or
(e) protect the rights of others.
(14) Where the provision of information to a Data Subject under Article 33(1) is restricted in accordance with Article 33(13), a Controller must inform the Data Subject in writing without undue delay:
(a) that the provision of information has been restricted; (b) of the reasons for the restriction;
(c) of the Data Subject’s right to lodge a complaint with the Commissioner under Article 60;
and
(d) of the Data Subject’s right to apply to the Court under Article 63.
(15) Article 33(14)(a) and (b) do not apply to the extent that complying with them would undermine the purpose of the restriction.34. Right to object to Processing
(1) A Data Subject has the right to:
(a) object at any time on reasonable grounds relating to his particular situation to Processing of Personal Data relating to him where such Processing is carried out on the basis that:
(i) it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a Controller; or
(ii) it is necessary for the purposes of the legitimate interests, where applicable, of a
Controller or of a Third Party; and
(b) be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses, subject to any provision of this Law that does not permit disclosure; and
(c) where Personal Data is Processed for direct marketing purposes, object at any time to such
Processing, including Profiling to the extent that it is related to such direct marketing.
(2) Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data, and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, rights of a Data Subject or that the circumstances in Article 34(3) apply.
(3) If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the Processing at the request of the Data Subject, then the Controller may continue Processing the Personal Data in the same manner, subject to this Law in all other respects.
(4) A Controller shall, no later than its first communication to a Data Subject, explicitly bring to the attention of the Data Subject in clear language that is prominent and separate from other communications or information, the rights referred to in Article 34(1).35. Right to restriction of Processing
(1) Subject to Article 35(3), a Data Subject shall have the right to require a Controller to restrict Processing to the extent that any of the following circumstances apply:
(a) the accuracy of the Personal Data is contested by the Data Subject, for a period allowing the Controller to verify the accuracy of the Personal Data;
(b) the Processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of its use instead;
(c) the Controller no longer needs the Personal Data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
(d) the Data Subject has objected to Processing pursuant to Article 34 pending verification of whether the legitimate grounds of the Controller override those of the Data Subject.
(2) If a Controller lifts the period of restriction it shall inform the Data Subject in writing.
(3) Where Article 35(1) applies, the only Processing that may continue to be conducted without the consent of the Data Subject is:
(a) storage of the Personal Data concerned;
(b) Processing of the Personal Data for the establishment, exercise or defence of legal claims; (c) Processing for the protection of the rights of another person; and
(d) Processing for reasons of Substantial Public Interest.36. Controller's obligation to notify
The Controller shall communicate any rectification or erasure of Personal Data or Processing restriction carried out in accordance with Articles 33, 34 and 35 to each recipient to whom the Personal Data has been disclosed, unless this proves impossible or involves disproportionate effort. A Controller shall inform the Data Subject about those recipients if a Data Subject requests it.
37. Right to data portability
(1) A Data Subject shall have the right to receive Personal Data that he has provided to a Controller in a structured, commonly used and machine-readable format where the Processing is:
(a) based on the Data Subject's consent or the performance of a contract; and
(b) carried out by automated means.
(2) The purpose of Article 37(1) is to enable ready portability between Controllers if so required by the Data Subject, and the Data Subject shall have the right to have the Personal Data transmitted directly from the Controller to whom the request is made to any other person, where technically feasible.(3) A Controller is not required to provide or transmit any Personal Data where doing so would infringe the rights of any other natural person.
38. Automated individual decision-making, including Profiling
(1) A Data Subject shall have the right to object to any decision based solely on automated Processing, including Profiling, which produces legal consequences concerning him or other seriously impactful consequences and to require such decision to be reviewed manually.
(2) Article 38(1) shall not apply if the decision is:
(a) necessary for entering into, or performance of, a contract between a Data Subject and a Controller;(b) authorised by Applicable Law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject's rights; or
(c) based on the Data Subject's explicit consent.
(3) DIFC law concerning fraud, counter-terrorism, money laundering, and tax-evasion monitoring and prevention which requires Processing of Personal Data that produces legal consequences concerning a Data Subject is regarded as falling within Article 38(2)(b).
(4) Article 38(2) does not apply if the Data Subject in question is a minor (by reference to the legal age of majority in the United Arab Emirates from time to time).
(5) A Controller may only rely on Articles 38(2)(a) and 38(2)(c) if it has implemented suitable measures to safeguard a Data Subject's rights which includes, at least, the ability for the Processing to be reviewed manually.
(6) Decisions affecting a Data Subject may not be based solely on the automated Processing, including
Profiling, of Special Categories of Personal Data unless:
(a) the Data Subject has given explicit consent to the Processing of those Personal Data for such specific purposes; or
(b) the Processing is necessary for reasons of Substantial Public Interest, on the basis of Applicable Law, is proportionate to the aim pursued, respects the principles of data protection and provides for suitable measures to safeguard the rights and interests of the Data Subject.39. Non-discrimination
(1) A Controller may not discriminate against a Data Subject who exercises any rights under this Part
6, including by:
(a) denying any goods or services to the Data Subject;
(b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
(c) providing a less favourable level or quality of goods or services to the Data Subject; or
(d) suggesting that the Data Subject will receive a less favourable price or rate for goods or services or a less favourable level or quality of goods or services.
(2) Nothing in this Article 39 prohibits a Controller from charging a Data Subject a different price or rate, or from providing a different level or quality of goods or services, if that difference is objectively and reasonably directly related to the value provided by the Data Subject’s data.(3) Notwithstanding Article 39(1), a Controller may offer financial or non-financial incentives for the Processing of Personal Data provided that:
(a) the terms of the incentive are clearly communicated;
(b) the process for receiving the benefit of the incentive is clearly communicated, is transparent and does not require material additional effort or expense on the part of the Data Subject;
(c) the nature of the Processing involved is clearly communicated; (d) the Processing complies in all respects with this Law; and
(e) it complies with Article 39(4).
(4) A Data Subject shall have the right to withdraw without penalty from, and require the cessation of Processing carried out under, any incentive scheme at any time. Incentive schemes must not be coercive or unreasonable in nature with respect to the Processing of Personal Data, including where the incentive is based on probability or a competition where the chance of receiving the incentive is disproportionately low compared to the value of the Personal Data and the impact on the Data Subject’s rights.40. Methods of exercising Data Subject rights
A Controller shall make available a minimum of two (2) methods (which may include but shall not be limited to post, telephone, email or an online form), which shall not be onerous, by which a Data Subject can contact the Controller to request to exercise his rights under this Part. If a Controller maintains a website, at least one (1) method of contact shall be available without charge via the website, without the need to submit data to create an account of any sort. At least one of the methods should correspond to the contact details provided under Article 29 or 30 as applicable.