Personal Data Protection Act 2018 of India

SCHEDULE 1

1. Rules of interpretation

(1) In this Law, unless otherwise provided, a reference to:
(a) a statutory provision includes a reference to the statutory provision as amended or re- enacted from time to time;
(b) a “person” includes any natural person, body corporate or body unincorporate, including a company, partnership, unincorporated association, government or state;
(c) an obligation to publish or cause to be published a particular document shall, unless expressly provided otherwise in this Law, include publishing or causing to be published in printed or electronic form;
(d) a “day” means a calendar day, unless expressly stated otherwise. If an obligation falls on a calendar day which is either a Friday or Saturday, or an official public holiday, the obligation shall take place on the next calendar day which is a business day;
(e) a “week” shall mean a calendar week or seven (7) days, whichever is applicable in the circumstances;
(f) a “month” shall mean a period of thirty (30) days;
(g) a “year” shall mean a period of three hundred and sixty five (365) days and a “calendar year” shall mean a year of the Gregorian calendar;
(h) a reference to the masculine gender includes the feminine and vice versa; (i) the singular shall include the plural and vice versa;
(j) "dollar" or "$" is a reference to United States Dollars unless the contrary intention appears;
and
(2) The headings in this Law shall not affect its interpretation.
(3) References in this Law to a body corporate include a company incorporated outside the DIFC.
(4) A reference in this Law to a Part, Chapter, Article or Schedule by number only, and without further identification, is a reference to the Part, Chapter, Article or Schedule of that number in this Law.
(5) A reference in an Article or other division of this Law to an Article by number or letter only, and without further identification, is a reference to the Article of that number or letter contained in the Article or other division of this Law in which that reference occurs.
(6) Unless the context otherwise requires, where this Law refers to an enactment, the reference is to that enactment as amended from time to time, and includes a reference to that enactment as extended or applied by or under another enactment, including any other provision of that enactment.
(7) References in this Law to writing, filing, instrument or certificate include any mode of communication that preserves a record of the information contained therein and is capable of being reproduced in tangible form, including electronic means.

2. Legislation in the DIFC

References to legislation and guidance in this Law shall be construed in accordance with the following provisions:
(a) Federal Law is law made by the federal government of the United Arab Emirates; (b) Dubai Law is law made by the Ruler, as applicable in the Emirate of Dubai;
(c) DIFC Law is law made by the Ruler (including, by way of example, the Law), as applicable in the
DIFC;
(d) the Law is the Data Protection Law, DIFC Law No. 5 of 2020 made by the Ruler;
(e) the Regulations are legislation made by the DIFCA Board of Directors under this Law and are binding in nature;
(f) the Enactment Notice is the enactment notice pursuant to which this Law is brought into force; and
(g) guidance is indicative and non-binding and may comprise (i) guidance made and issued by the Commissioner for the purposes of this Law; and (ii) any standard or code of practice issued by the DIFCA Board of Directors.

3. Defined terms

In the Law, unless the context indicates otherwise, the defined terms listed below shall have the corresponding meanings.

Terms

Definitions

Applicable Law

means all applicable laws, statutes, codes, ordinances, decrees, rules, regulations, municipal by-laws, judgments, orders, decisions, rulings or awards of any government, quasi-government, statutory or regulatory body, ministry, government agency or department, court, agency or association of competent jurisdiction.

Binding Corporate Rules

Personal Data protection policies and procedures, aggregated or incorporated in a single written document, which regulate the transfer of Personal Data between members of a Group, legally bind such members to comply, and which contain provisions for the protection of such Personal Data.

Commissioner

the person appointed by the President pursuant to Article 43(1) of the Law to administer the Law.

Controller

any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.

Court

the DIFC Court as established under Dubai Law.

Data Subject

the identified or Identifiable Natural Person to whom Personal Data relates.

DFSA

the Dubai Financial Services Authority.

DIFCA

the DIFC Authority established under Dubai law.

DIFC

the Dubai International Financial Centre.

DIFCA Board of Directors

the governing body of the DIFCA established under Law No. 9 of 2004.

DIFC Body

includes the Commissioner, DIFCA, DFSA, DIFC Courts, and any other person, body, office, registry or tribunal established under DIFC Laws or established upon approval of the President that is not revoked by this Law or any other DIFC Law.

“DIFC Bodies" shall have a corresponding meaning.

DPO

a data protection officer appointed by a Controller (including a Joint Controller), or Processor to independently oversee relevant data protection operations in the manner set out in Article 16, 17, 18 and 19.

Filing System

any structured set of Personal Data that is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis.

Group

any group of entities that are related to each other by virtue of being Subsidiaries of the same Ultimate Holding Company or subsidiaries of any such Subsidiaries. Ultimate Holding Company and Subsidiary have the meaning given in the DIFC Companies Law, Law No. 5 of 2018 (as amended or updated).

High Risk Processing

Activities

Processing of Personal Data where one (1) or more of the following applies: (a) Processing that includes the adoption of new or different technologies or

methods, which creates a materially increased risk to the security or rights of a

Data Subject or renders it more difficult for a Data Subject to exercise his rights;

(b) a considerable amount of Personal Data will be Processed (including staff and contractor Personal Data) and where such Processing is likely to result in a high risk to the Data Subject, including due to the sensitivity of the Personal Data or risks relating to the security, integrity or privacy of the Personal Data;

(c) the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or

(d) a material amount of Special Categories of Personal Data is to be Processed.

Identifiable Natural Person

means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity (and "Identified Natural Person" is interpreted accordingly).

International Organisation

an organisation and its subordinate bodies governed by public international law, or any other body that is set up by, or on the basis of, an agreement between two (2) or more countries.

Joint Controller

any Controller that jointly determines the purposes and means of Processing with another Controller.

Law

this Data Protection Law 2020, Law No. 5 of 2020 as may be amended.

Personal Data

any information referring to an identified or Identifiable Natural Person.

Personal Data Breach

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

President

the President of the DIFC.

Process, Processed, Processes and Processing (and other variants)

any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on Personal Data by:

(a) a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or

(b) law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.

Processor

any person who Processes Personal Data on behalf of a Controller.

Profiling

the automated Processing of Personal Data to evaluate the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the person's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.

Registrar

the Registrar of Companies appointed pursuant to Article 6 of the Companies Law, DIFC Law No. 5 of 2018.

Regulations

has the meaning given in paragraph 2(e) of this Schedule 1.

Requesting Authority

has the meaning given in Article 28(1).

Ruler

the Ruler of the Emirate of Dubai.

Schedule

a schedule to the Law.

Special Categories of

Personal Data

Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.

Single Discrete Incident

has the meaning given in Article 12(11).

Sub-processor

a processor appointed by the Processor as set out in Article 24(2).

Substantial Public Interest

includes, but is not limited to:

(a) administration of justice, including criminal and regulatory investigations; and

(b) exercise of a function conferred on a person by Applicable Law.

Third Country

a jurisdiction other than the DIFC, whether in the UAE or elsewhere.

Third Party

any person authorised to Process Personal Data, other than the: (a) the Data Subject;

(b) the Controller; (c) Joint Controller; (d) the Processor; or

(e) Sub-processor.

UAE

the United Arab Emirates.

Terms	Definitions
Applicable Law	means all applicable laws, statutes, codes, ordinances, decrees, rules, regulations, municipal by-laws, judgments, orders, decisions, rulings or awards of any government, quasi-government, statutory or regulatory body, ministry, government agency or department, court, agency or association of competent jurisdiction.
Binding Corporate Rules	Personal Data protection policies and procedures, aggregated or incorporated in a single written document, which regulate the transfer of Personal Data between members of a Group, legally bind such members to comply, and which contain provisions for the protection of such Personal Data.
Commissioner	the person appointed by the President pursuant to Article 43(1) of the Law to administer the Law.
Controller	any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
Court	the DIFC Court as established under Dubai Law.
Data Subject	the identified or Identifiable Natural Person to whom Personal Data relates.
DFSA	the Dubai Financial Services Authority.
DIFCA	the DIFC Authority established under Dubai law.
DIFC	the Dubai International Financial Centre.
DIFCA Board of Directors	the governing body of the DIFCA established under Law No. 9 of 2004.

DIFC Body	includes the Commissioner, DIFCA, DFSA, DIFC Courts, and any other person, body, office, registry or tribunal established under DIFC Laws or established upon approval of the President that is not revoked by this Law or any other DIFC Law. “DIFC Bodies" shall have a corresponding meaning.
DPO	a data protection officer appointed by a Controller (including a Joint Controller), or Processor to independently oversee relevant data protection operations in the manner set out in Article 16, 17, 18 and 19.
Filing System	any structured set of Personal Data that is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis.
Group	any group of entities that are related to each other by virtue of being Subsidiaries of the same Ultimate Holding Company or subsidiaries of any such Subsidiaries. Ultimate Holding Company and Subsidiary have the meaning given in the DIFC Companies Law, Law No. 5 of 2018 (as amended or updated).
High Risk Processing Activities	Processing of Personal Data where one (1) or more of the following applies: (a) Processing that includes the adoption of new or different technologies or methods, which creates a materially increased risk to the security or rights of a Data Subject or renders it more difficult for a Data Subject to exercise his rights; (b) a considerable amount of Personal Data will be Processed (including staff and contractor Personal Data) and where such Processing is likely to result in a high risk to the Data Subject, including due to the sensitivity of the Personal Data or risks relating to the security, integrity or privacy of the Personal Data; (c) the Processing will involve a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated Processing, including Profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; or (d) a material amount of Special Categories of Personal Data is to be Processed.
Identifiable Natural Person	means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity (and "Identified Natural Person" is interpreted accordingly).
International Organisation	an organisation and its subordinate bodies governed by public international law, or any other body that is set up by, or on the basis of, an agreement between two (2) or more countries.
Joint Controller	any Controller that jointly determines the purposes and means of Processing with another Controller.
Law	this Data Protection Law 2020, Law No. 5 of 2020 as may be amended.
Personal Data	any information referring to an identified or Identifiable Natural Person.

Personal Data Breach	a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
President	the President of the DIFC.
Process, Processed, Processes and Processing (and other variants)	any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on Personal Data by: (a) a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or (b) law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.
Processor	any person who Processes Personal Data on behalf of a Controller.
Profiling	the automated Processing of Personal Data to evaluate the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the person's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.
Registrar	the Registrar of Companies appointed pursuant to Article 6 of the Companies Law, DIFC Law No. 5 of 2018.
Regulations	has the meaning given in paragraph 2(e) of this Schedule 1.
Requesting Authority	has the meaning given in Article 28(1).
Ruler	the Ruler of the Emirate of Dubai.
Schedule	a schedule to the Law.
Special Categories of Personal Data	Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.
Single Discrete Incident	has the meaning given in Article 12(11).
Sub-processor	a processor appointed by the Processor as set out in Article 24(2).
Substantial Public Interest	includes, but is not limited to: (a) administration of justice, including criminal and regulatory investigations; and (b) exercise of a function conferred on a person by Applicable Law.