59. Directions
(1) If the Commissioner is satisfied, either on the basis of a complaint under Article 60(1) or on the basis of other information within his knowledge, that a Controller or Processor has contravened or is contravening the Law or Regulations made for the purpose of the Law, he may issue a direction requiring him to do either or both of the following:
(a) to do or refrain from doing any act or thing within such time as may be specified in the direction; or
(b) to refrain from Processing any Personal Data specified in the direction or to refrain from
Processing Personal Data for a purpose or in a manner specified in the direction.
(2) The Commissioner may undertake reasonable and necessary inspections or investigations for the purposes of Article 59(1).
(3) A direction issued under Article 59(1) shall contain:
(a) a statement of the contravention of the Law or Regulations that the Commissioner is satisfied is being or has been committed; and
(b) a statement to the effect that the Controller or Processor may seek judicial review by theCourt of:
(i) the decision of the Commissioner to issue the direction; or
(ii) the terms of the direction.
(4) A Controller or Processor that fails to comply with a direction of the Commissioner under this part of the Law contravenes this Law and may be:
(a) subject to fines; or
(b) liable for payment of damages and compensation to the Data Subject.
(5) If the Commissioner considers that a Controller or Processor or any officer of either has failed to comply with a direction, he may apply to the Court for one (1) or more of the following orders:
(a) an order directing the Controller or Processor or officer to comply with the direction or any provision of the Law or the Regulations or of any Applicable Law administered by the Commissioner relevant to the issue of the direction;
(b) an order directing the Controller or Processor or officer to pay any costs incurred by the Commissioner or other person relating to the issue of the Commissioner’s direction or the contravention of such Law, Regulations or Applicable Law relevant to the issue of the direction; or
(c) any other order that the Court considers appropriate.
(6) Any affected party may make submissions to the Court in relation to the Commissioner’s application for an order under Article 59(5).
(7) Any affected party may ask the Commissioner to review the direction within fourteen (14) days of receiving a direction under this part of the Law. The Commissioner may receive further submissions and amend or discontinue the direction.(8) The Commissioner may, but is not obliged to, issue warnings to a Controller or Processor that its intended Processing operations are likely to infringe this Law.
(9) The Commissioner may, but is not obliged to, issue public reprimands to a Controller or Processor where its Processing operations have infringed this Law (in addition to imposing any other sanction provided for under this Law).
(10) The issuing of any direction by the Commissioner is without prejudice to the Commissioner's ability to impose fines under Article 62.60. Lodging complaints and mediation
(1) A Data Subject who contends that there has been a contravention of the Law or an alleged breach of his rights under the Law may lodge a complaint with the Commissioner.
(2) Multiple Data Subjects affected by the same alleged contravention or breach of rights referred to in Article 60(1) may raise such complaint collectively. The Commissioner may choose to deal collectively with multiple allegations which relate to the same contravention or breach of rights, whether not such allegations are brought collectively.
(3) The Commissioner may investigate the matters that are the subject of the complaint or mediate between the complainant and the relevant Controller or Processor.
(4) On the basis of the investigation or mediation referred to in Article 60(3), the Commissioner may issue a direction under Article 59(1) or make a declaration of no contravention of the Law.
(5) The DIFCA Board of Directors may make Regulations on the procedures relating to the conduct of mediation under this Article 60.61. General contravention
A Controller or Processor commits a contravention of this Law if it:
(a) does an act or thing that the Controller or Processor (as applicable) is prohibited from doing by or under this Law and the Regulations;
(b) does not do an act or thing that the Controller or Processor (as applicable) is required or directed to do under this Law and the Regulations (including where the Commissioner has issued a direction); or
(c) otherwise contravenes a provision of this Law and the Regulations.62. Imposition of fines
(1) The DIFCA Board of Directors shall make Regulations on the procedures relating to the imposition and recovery of fines under this Article 62.
(2) Subject to Article 62(3), where the Commissioner considers that a Controller or Processor (including a Sub-processor) has contravened the Law, the Commissioner may issue an administrative fine to the Controller or Processor in respect of a contravention referred to in Schedule 2 in an amount he considers appropriate but not exceeding the amount specified in Schedule 2 in respect of each contravention, payable by the date specified in such notice.
(3) The Commissioner may issue a general fine for a contravention of the Law by a Controller or Processor (including a Sub-processor), in an amount he considers appropriate and proportionate, taking into account the seriousness of the contravention and the risk of actual harm to any relevant Data Subject. Such fine shall be issued by written notice and shall be payable by the date specified in such notice.(4) If, within the period specified in the notice referred to in Article 62(2) or 62(3), the Controller or Processor (as applicable) pays the prescribed fine to the Commissioner, then he may commence no further proceedings against the person in respect of the relevant contravention, but he may take action in relation to any continuing contravention, including where, in addition to the fine, a direction to the relevant Controller or Processor has been issued and has not been complied with.
(5) Provided an objection instigated in accordance with Article 62(6) is not in progress, if a Controller or Processor (as applicable) has not paid the prescribed fine to the Commissioner’s office within the period specified in the notice referred to in Article 62(2) or 62(3) or within ten (10) days following the determination of any objection instigated in accordance with Article 62(6) in such terms that a fine is payable, then the Commissioner may apply to the Court for, and the Court may so order, the payment of the fine or so much of the fine as is not paid and make any further order as the Court sees fit for recovery of the fine including any order for interest, costs of enforcement (including legal costs) and other expenses directly arising from the failure to pay.
(6) A Controller or Processor (as applicable) may object to the imposition of a fine in accordance with procedures specified in Regulations referred to in Article 62(1).
(7) A certificate that purports to be signed by the Commissioner and states that a written notice was given to a person pursuant to Article 62(2) or 62(3) imposing a fine on the basis of specific facts is:
(a) conclusive evidence of the giving of the notice to the person; and
(b) prima facie evidence of the facts contained in the notice, in any proceedings commenced under Article 62(4).
(8) In addition to any fine, the Commissioner may request the Court to make an order for damages or compensation payable to a Data Subject, even if he has not made a claim in accordance with Article64. The principles in Article 64 will be considered when making the request to the Court. The Commissioner shall not make such requests unless in his opinion the Data Subject in question has suffered material damage as a result of the breach in question and is disadvantaged in his ability to bring a claim to the Court in his own name.
63. Application to the Court
(1) Any Controller or Processor who is found to contravene this Law or a direction of the
Commissioner may appeal to the Court against the finding within thirty (30) days.
(2) A Data Subject who disagrees with a finding by the Commissioner of contravention of the Law or of no contravention of the Law may appeal against the finding to the Court within thirty (30) days.
(3) The Court may make any orders that it may think just and appropriate in the circumstances, including remedies for damages or compensation, penalties and imposition of administrative fines and findings of fact or alternative findings of fact in relation to whether or not the Law has been contravened.64. Compensation
(1) A Data Subject who suffers material or non-material damage by reason of any contravention of this Law or the Regulations may apply to the Court for compensation from the Controller or Processor in question, in addition to, and exclusive of, any fine imposed on the same parties under Article 62. The same measure of damage shall be taken into account in any Court proceeding initiated by the Commissioner under Article 46(3)(d). No person shall be required to pay compensation twice with respect to the same damage.
(2) Any Controller involved in Processing that infringes this Law shall be liable for the damage caused.
A Processor shall be liable for the damage caused by Processing only where it has not complied with obligations of this Law specifically directed to Processors or where it has acted outside or contrary to the lawful instructions of the Controller.
(3) Where more than one Controller or Processor, or both a Controller and a Processor, are involved in the same Processing and where they are responsible for any damage caused by Processing, each person shall be held jointly and severally liable for the entire damage in order to ensure effective compensation of the Data Subject.
(4) Proceedings for exercising the right to receive compensation shall be brought before the Court, but may be settled out of Court.