43. Appointment of the Commissioner
(1) The President shall appoint a person to be the Commissioner who is appropriately experienced and qualified.
(2) The President shall consult with the DIFCA Board of Directors prior to appointing, re-appointing or removal of the Commissioner.
(3) The Commissioner shall be appointed for a specified period of time not exceeding five (5) years, and may be re-appointed provided that such period may not extend beyond the day when the Commissioner turns seventy-five (75) years of age.
(4) The Commissioner shall not be held personally liable for any act or omission committed by him under or in relation to this Law or in relation to his duties and functions as Commissioner, save for where the Commissioner has acted in bad faith. The DIFCA will indemnify and hold harmless the Commissioner with respect to all Liabilities whatsoever that may be incurred by or suffered by the Commissioner in relation to the discharge of the Commissioner's duties and functions under or in relation to this Law and his duties and functions as Commissioner.
(5) "Liabilities" as used in Article 43(4) includes, without limitation, the costs of settlements, judgments, damages and expenses including legal fees, costs and expenses, including legal fees, costs and expenses incurred in establishing a right to indemnity hereunder.44. Removal of the Commissioner
The Commissioner may be removed from office by written notice issued by the President for reasons of inability, incapacity or misbehaviour.
45. Resignation of the Commissioner
The Commissioner may at any time resign as the Commissioner by giving three (3) months written notice addressed to the President.
46. Powers, functions and objectives of the Commissioner
(1) The Commissioner has such powers, duties and functions as conferred on him under this Law and any Regulation made under this Law and shall exercise such powers and perform such functions in pursuit of the objectives of this Law and the Regulations.
(2) In performing his functions and exercising his powers, the Commissioner shall pursue the following objectives:
(a) to monitor, ensure and enforce compliance with this Law;
(b) to promote good practices and observance of the requirements of this Law and the
Regulations by a Controller or Processor; and
(c) to promote greater awareness and public understanding of data protection and the requirements of this Law and the Regulations in the DIFC.
(3) Without limiting the generality of Article 46(1), the Commissioner has the following powers, duties and functions:
(a) auditing a Controller or Processor, which includes having the right to obtain access to any premises and to any Processing equipment or means of a Controller or Processor who is subject to this Law, as well as having the right to require the production of information under Article 52. A Controller or Processor shall not be required to provide access to or produce legally privileged material or material subject to a conflicting obligation of non- disclosure under Applicable Law. The Commissioner shall seek to minimise unreasonable interruption to the Controller or Processor in the exercise of its rights under this Article 46(3)(a) and shall give reasonable notice of its access requirements, in each case taking into account the purpose of the audit, the perceived risk to the rights of Data Subjects, the need to act urgently, the risk of loss or unavailability of information and the seriousness of any suspected contravention of this Law;(b) conducting investigations and inspections to verify compliance with this Law;
(c) issuing directions in accordance with Article 59, and issuing warnings or admonishments and making recommendations to a Controller or Processor, including ordering the appointment of a DPO as described in Article 16(3);
(d) initiating proceedings for contraventions of the Law before the Court that may be self- initiated or initiated in response to an investigation of a complaint or a request from a Data Subject; for such purposes, the Commissioner shall be available for a Data Subject to contact in order to make complaints and shall take such action as he sees fit in furtherance of his primary objectives described in Article 46(1);
(e) imposing fines in the event of non-compliance with a direction;
(f) imposing fines for non-compliance with the Law and any Regulations, including from time to time setting any limits or issuing schedules of fines applicable to specific breaches of the Law and any Regulations;
(g) initiating a claim for compensation on behalf of a Data Subject before the Court where there has been a material contravention of the Law to the detriment of the Data Subject;
(h) preparing or causing to be prepared in a timely and efficient manner:(i) draft Regulations;
(ii) draft standards or codes of practice; and
(iii) guidance;
(i) submitting such draft Regulations, draft standards, and draft codes of practice to the DIFCA Board of Directors for approval and advising it of any guidance that is issued;
(j) promoting, as appropriate, and dealing with codes of conduct intended to contribute towards the application of this Law, as further described in Article 48;
(k) prescribing forms to be used for any of the purposes of this Law or any Applicable Law administered by the Commissioner;
(l) acquiring, holding and disposing of property of any description; (m) making contracts and other agreements;
(n) with the prior consent of the President, borrowing monies and providing security for such borrowings;
(o) employing and appointing persons on such terms as he considers appropriate to assist him in the exercise of his powers and performance of his functions;
(p) where he considers it appropriate to do so, delegating such of his functions and powers as may more efficiently and effectively be performed by his officers or employees and, with the approval of the President either generally or in relation to any particular matter, by any other person;
(q) taking such steps as he deems appropriate in order to develop and participate in international cooperation mechanisms to facilitate data sharing and enforcement standards, including communicating with other competent data protection authorities with respect to breaches of this Law involving multi-jurisdictional organisations or Groups; and
(r) exercising and performing such other powers and functions as may be delegated to the Commissioner by the President pursuant to the provisions of this Law.
(4) The Commissioner has power to do whatever he deems necessary, for or in connection with, or reasonably incidental to, the performance of his functions.
(5) In exercising his powers and performing his functions the Commissioner shall act in an independent and impartial manner and will not accept instructions from any other party.47. Delegation of powers and establishment of advisory committee
(1) The Commissioner, where he considers it appropriate to do so, may delegate such of his functions and powers as may more efficiently and effectively be performed by officers and employees of the Commissioner, and with the approval of the DIFCA Board of Directors, either generally or in relation to any particular matter, to any other person.
(2) The Commissioner may establish an advisory committee. He may appoint a chairperson and a secretariat for the advisory committee.
(3) The scope and function of the advisory committee shall be confirmed in Regulations published by the Commissioner but may include:
(a) advising the Commissioner on any issue related to the protection of Personal Data and the application of this Law;
(b) assisting the Commissioner with the drafting of guidelines, recommendations, and best practices;
(c) assisting the Commissioner with respect to accreditation schemes, codes of conduct, mechanisms for data transfer;
(d) drafting Regulations;
(e) providing input, as requested by the Commissioner, regarding any question arising under this Law that the Commissioner is required to consider;
(f) preparing reports for the Commissioner; and
(g) liaising with other data protection committees and authorities as directed by the Commissioner.
(4) The advisory committee shall exercise its functions in an independent manner.
48. Codes of conduct
(1) A Controller, Processor, or any other body including any foundation, association, academic organisation, certification body or non-profit organisation representing categories of Controllers or Processors may prepare, amend or extend codes of conduct, for the purpose of specifying the application of and to contribute to the proper application of this Law. Specific codes may be developed that take account of the features of the various Processing sectors and the specific needs of different types of enterprises.
(2) Matters that such codes may cover include:(a) fair and transparent Processing;
(b) legitimate interests pursued by a Controller in specific contexts; (c) collection of Personal Data;
(d) pseudonymisation or anonymisation of Personal Data;
(e) information provided to a Data Subject or to the public;
(f) exercise of the Data Subject’s rights;
(g) measures referred to in Article 14;
(h) notification of Personal Data Breaches to the Commissioner and the communication of such Personal Data Breaches to a Data Subject;
(i) transfer of Personal Data to Third Countries or International Organisations; and
(j) out-of-court proceedings and other dispute resolution procedures for resolving disputes between a Controller or Processor and a Data Subject with regard to Processing, without prejudice to a Data Subject’s rights pursuant to Articles 60 and 64.(3) Subject to the powers and functions of the Commissioner, a code of conduct referred to in Article 48(1) shall contain mechanisms that enable the relevant association or body to carry out the monitoring of compliance with its provisions by the Controllers or Processors that undertake to apply it.
(4) Persons or bodies referred to in Article 48(2) that intend to establish a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the Commissioner, who shall confirm whether or not the draft code is approved and may provide a process for approval by way of Regulations.
(5) Where the Commissioner approves a code under Article 48(4), it shall register and publish the code and designate a name by which the code is to be known.
(6) The Commissioner may also condition or withdraw approval of a code at any time, setting out the reason for such condition or withdrawal and any requirements that a Controllers or Processor must implement in place of any such code where relied upon in accordance with Article 14(6).49. Monitoring of approved codes of conduct
(1) Subject to the powers and functions of the Commissioner, the monitoring of compliance with a code of conduct approved by the Commissioner pursuant to Article 48 may be carried out by a body that has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the Commissioner.
(2) When deciding whether to accredit and maintain the accreditation of such a body, the Commissioner shall consider whether the body has:(a) demonstrated its independence and expertise in relation to the subject-matter of the code;
(b) established procedures that allow it to assess the eligibility of a Controller or Processor
concerned to apply the code, to monitor compliance with its provisions and to periodically
review its operation;
(c) established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a Controller or Processor, and to make those procedures and structures transparent to Data Subjects or the public; and
(d) demonstrated that its tasks and duties do not result in a conflict of interests.
(3) The Commissioner will revoke accreditation if he believes the above conditions are not met or if the body has infringed this Law.
(4) An accredited body shall, subject to appropriate safeguards, take appropriate action if the relevant code is infringed by a Controller or Processor, including suspension or exclusion of a Controller or Processor concerned from the code. It shall inform the Commissioner of such actions and the reasons for taking them.50. Certification schemes
(1) A certification scheme may be established for the purposes of enabling a Controller or Processor to demonstrate compliance with this Law. Participation in a certification scheme shall be voluntary and available by a transparent process.
(2) Any certification achieved by a Controller or Processor does not relieve it of any responsibility for compliance with this Law.
(3) Certification may only be issued by a certification body approved under Article 51 or by the Commissioner (if he establishes a certification scheme).
(4) A certification issued under an approved scheme shall remain valid for a maximum period of three (3) years and may be renewed for equivalent periods, provided the relevant conditions continue to be met by the Controller or Processor in question. The approved body or Commissioner shall withdraw the certification of a Controller or Processor that is found to no longer meet the requirements for certification.
(5) The Commissioner shall maintain a public register of all approved certification bodies and relevant schemes.51. Certification and Accreditation
(1) The Commissioner may receive applications for accreditation for the purposes of running a certification scheme referred to in Article 50.
(2) The Commissioner shall only award accreditation where a body has:(a) demonstrated independence and expertise in relation to the subject-matter of the certification to the satisfaction of the Commissioner;
(b) undertaken in writing to respect the criteria of the proposed scheme;
(c) established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks in connection with the proposed scheme, including establishing explicitly defined specific criteria for granting or not granting certification to an applicant;
(d) established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by a Controller or Processor, and has made those procedures and structures transparent to Data Subjects and the public;
(e) demonstrated, to the satisfaction of the Commissioner, that its tasks and duties do not result in a conflict of interests; and
(f) demonstrated its compliance with any criteria for accreditation approved by the Commissioner and made public from time to time, whether via Regulations or otherwise.(3) The Commissioner will revoke accreditation if he believes the above conditions are not met or if the body has infringed this Law.
(4) The body applying for accreditation shall make available all information in written form necessary or requested by the Commissioner, in order for him to make a determination for the purposes of Article 51(2).
(5) The maximum period of any accreditation shall be five (5) years, subject to renewal provided the body can demonstrate continuing compliance with all relevant requirements.
(6) When accredited, a certification body is responsible for the proper assessment of a Controller or Processor leading to the certification or the refusal or withdrawal of certification regardless of responsibility of the Controller or Processor for compliance with this Law.52. Production of information
(1) The Commissioner may require a Controller or Processor by written notice to:
(a) give specified information;
(b) produce the Processing records, or copies thereof, required to be maintained under Article 15; or
(c) produce any other specified documents, including copies, that relate to the Processing of Personal Data.(2) A Controller or Processor shall not be required to disclose legally privileged material or material subject to a conflicting obligation of non-disclosure under Applicable Law.
(3) The party in respect of whom a requirement is made pursuant to Article 52(1) shall comply with that requirement, unless the requested information is legally privileged material or material subject to a conflicting obligation of non-disclosure under Applicable Law. Where the party fails to comply with the requirement it shall be in breach of this Law. The Commissioner may issue a direction or impose a fine in accordance with Articles 59 or 62 of this Law or conduct further investigations.53. Regulations
(1) The DIFCA Board of Directors, after consultation with the Commissioner, may make Regulations under the Law in respect of:
(a) any matters related to the application of the Law; and
(b) as proposed by the Commissioner under Article 53(2).
(2) The Commissioner may propose Regulations to the DIFCA Board of Directors in respect of any matter that facilitates the administration and application of the Law or furthers the purposes of the Law, including but not limited to:
(a) procedures for initiating and filing complaints;
(b) procedures for appealing and reconsidering decisions or determinations of the Commissioner;
(c) fines, including from time to time setting any limits or issuing schedules of fines applicable to specific breaches of the Law or otherwise setting out methodology to be used and the factors that will be taken into account by the Commissioner to determine the amount of any fine under this Law;
(d) fees;
(e) forms, procedures and requirements under the Law; (f) the keeping of the register of notifications; and
(g) the conduct of the Commissioner and his officers, employees and agents in relation to the exercise of powers and performance of functions.(3) Where the DIFCA Board of Directors issues a standard or code of practice, it may incorporate such a standard or code into the Regulations by reference and in such circumstances, except to the extent that the Regulations otherwise provide, a person who is subject to the provisions of any such standard or code shall comply with such provisions as if they were provisions of the Regulations.
(4) Where any Applicable Law made for the purpose of this Law purports to be made in exercise of a particular power or powers, it shall be taken also to be made in the exercise of all powers under which it may be made.
(5) The Commissioner shall publish draft Regulations by means of a notice including:(a) the draft text of the Regulations;
(b) a statement of the substance and purpose of the material provisions of the draft Regulations; and
(c) a summary of the draft Regulations.(6) Upon publication of a notice under Article 53(5), the DIFCA shall invite interested persons to make representations with respect to the draft Regulations within a period of at least thirty (30) days after the publication, or within such period as the DIFCA Board of Directors may otherwise determine.
(7) Articles 53(5) and (6) shall not apply if the Commissioner concludes that any delay likely to arise under such Articles is prejudicial to the interests of the DIFC or to a Data Subject.54. Funding
In respect of each financial year of the Commissioner, the Government of Dubai shall ensure that there is provision of sufficient financial resources to enable the Commissioner to adequately perform his functions and exercise his powers in accordance with the Laws and the Regulations.
55. Annual budget of the Commissioner
(1) The DIFCA Board of Directors shall, before the end of each financial year, submit to the President for the President’s approval estimates of the annual income and expenditure of the Commissioner for the next financial year.
(2) Such estimates shall include figures relating to levels of remuneration and entitlement to expenses of the officers, employees and agents of the Commissioner.
(3) The President may:(a) approve the estimates submitted under Article 55(1); or
(b) on reasonable grounds reject such estimates within thirty (30) days of receiving them, where such rejection is to be advised in writing, with reasons, to the DIFCA Board of Directors.(4) Unless the estimates have been expressly approved by the President under Article 55(3)(a) or rejected under Article 55(3)(b), they shall be deemed to have been approved on expiry of thirty (30) days from the date of submission referred to in Article 55(1).
56. Accounts
(1) The Commissioner shall keep proper accounts of his office’s financial activities.
(2) The Commissioner, shall before the end of the first quarter of the financial year, prepare financial statements for the previous financial year in accordance with accepted accounting standards.
(3) The accounts prepared under this Article shall be submitted for the approval of the DIFCA Board of Directors.57. Audit of Commissioner
(1) The DIFCA Board of Directors shall appoint auditors to conduct an audit in relation to each financial year of the Commissioner.
(2) The DIFCA Board of Directors shall, as soon as reasonably practicable after the preparation and approval of the financial statements of the Commissioner, provide such statements to the relevant auditors for audit.
(3) The auditors shall prepare a report on the financial statements and send the report to the DIFCA Board of Directors.
(4) Such report shall, where appropriate, include a statement by the auditors as to whether or not, in their opinion, the financial statements to which the report relates give a true and fair view of the state of the financial activities of the Commissioner as at the end of the financial year to which the financial statements relate, and of the results of his operations and cash flows in the financial year.
(5) The auditors shall have a right of access at all reasonable times to all information that is reasonably required by them for the purposes of preparing the report and that is held or controlled by any officer, employee or agent of the Commissioner.
(6) The auditors shall be entitled reasonably to require from the officers, employees and agents of the Commissioner such information and explanations they consider necessary for the performance of their duties as auditors.
(7) A person shall not without reasonable excuse intentionally engage in conduct that results in the obstruction of a person appointed under Article 57(1) in the exercise of his powers.58. Annual report
(1) Upon request, the Commissioner shall deliver to the President, a report on the management of the administrative affairs of the Commissioner, for the previous year.
(2) Such report shall give a true and fair view of the state of the Commissioner’s regulatory operations in the DIFC, and financial statements of the Commissioner, as at the end of the relevant financial year.