Another Data Protection law having relevance to Indian Companies is now out. Effective 1st July 2020, the Data Protection Law in Dubai has been revised and brought in line with the current trends.
The new DIFC (Dubai International Financial Center) law (no 5 of 2020) replaces the earlier 2007 version. The law tries to replicate the GDPR provisions but expresses the provisions differently and perhaps with a little more clarity.
The application of the law is in the jurisdiction of DIFC and the purpose is to protect the fundamental rights of data subjects as well as provide standards and controls for processing.
The law applies if the data processor/controller is situated in DIFC or processes personal data in DIFC as part of stable arrangements other than on an occassional basis.
Processing is generally subject to free consent or explicit consent (special category of information) though other basis such as a contract, legal necessity, protection of vital interest of data subject as well as the legitimate interest.
The appointment of a DPO is optional except for controllers performing high risk processing activities on a systematic basis. DPO must reside in UAE.
Transfer of data outside DIFC is permitted on “Adequacy” basis, or through a legally binding instrument, Binding Corporate Rules, Standard Protection clausses approved code of conduct etc. Transfer is also permissible under an explicit consent, or public interest , for legal claims etc.
The requirements of notice and the information to be contained there in is also mentioned in the act.
Rights of the Data Subject such as withdrawal of consent, right to access, rectification and erasure as well as portability and object to profiling are also provided.
Atleast two means of contact for the data subject to exercise their rights need to be provided.
Data Breach Notification is provided for and the Commissioner shall be the regulatory authority. Only in high risk breaches the data subjects need to be notified.
A voluntary certification scheme may be established for the purpose of the Controller or Processor to demonstrate compliance of the law but certification alone will not relieve the responsibility for compliance. The Commissioner may issue accreditation for agencies who are authorized to issue such certificates.
Non compliance is subject to appropriate fines that may be imposed by the Commissioner. Right of private action is also available.
In general the regulation closely follows the GDPR principles but avoids the quoting of a threatening high limit of fine or criminal prosecution though they could be invoked when necessary.
The Indian companies who intend using Dubai as a base for their operations should gear up to the new regulation.
(P.S: This is only a preliminary view to keep the legislation under our radar. Watch out for detailed discussions in due course)
(Copy of the law can be found here)