January 29, 2011

Data Protection update 2: Data Protection in the DIFC

This is the second bulletin published by Clyde & Co's Commercial Group relating to data protection and privacy in the Middle East.

Data protection and privacy are important considerations for all businesses. Failing to treat personal information in accordance with legislative requirements and best practice can have an adverse effect on a company's reputation, its employees and its customers.

Specific data protection regimes are now in place in many jurisdictions. Awareness of the implications of data protection and privacy issues is increasing around the globe, including in the Middle East, where there have been a number of developments in recent months.

The DIFC has had a data protection regime since 2004. The DIFC data protection regime was significantly overhauled by the DIFC's Data Protection Law 2007 (2007 Law).

The 2007 Law was designed to be consistent with, among others, EU data protection directives. The 2007 Law:

  1. applies in the jurisdiction of the DIFC;
  2. applies to certain information relating to identifiable individuals; and
  3. sets out obligations relating to the collection, handling, disclosure and use of personal data.

Processing Personal data in the DIFC

In accordance with the 2007 Law, obligations are placed on those responsible for determining the purpose and means of collecting personal data to ensure that, among other things, personal data is processed fairly, lawfully, securely and for a specified and legitimate purpose.

Personal data may only be processed in the DIFC if, among other things:

  1. the individual to whom the personal data relates (Data Subject) has given his written consent to the processing of his personal data;
  2. processing of personal information is necessary for the performance of a contract to which the Data Subject is a party;
  3. processing is necessary in order for the controller of the personal information to comply with legal obligations; or
  4. processing is necessary to protect the 'vital interests' of the Data Subject.

In accordance with the 2007 Law, specific obligations apply to the legitimate processing of personal data which is 'sensitive' in nature. Personal information is considered to be 'sensitive' if it relates to the 'racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade union membership and health or sex life' of a Data Subject.

Companies registered in the DIFC must ensure that care is taken when any personal data is processed in the DIFC, including personal data relating to the employees of companies registered in the DIFC. Particular care should be taken when 'sensitive' personal data is processed.

Transferring personal data

The 2007 Law sets out the requirements for transferring personal data that originates within the DIFC to areas outside the DIFC. In principle, personal data that originates within the DIFC may only be transferred to jurisdictions outside the DIFC which are considered to have an 'adequate level of protection'. Those jurisdictions which are considered to have an 'adequate level of protection' include all of the member States of the EU. Significantly, neither the United Arab Emirates nor the United States is considered to be a jurisdiction with an 'adequate level of protection' under the 2007 Law.

Rights of Data Subjects

The 2007 Law grants Data Subjects certain rights, including rights to seek and obtain confirmation from data controllers as to whether or not personal data which relates to them is being processed and, if it is, why it is being processed.

Data Subjects also have the right, under the 2007 Law, to object to the processing of personal information which relates to them and to object to that information being disclosed to third parties.

The 2007 Law establishes a DIFC Commissioner of Data Protection who is responsible for, among other things, administering the 2007 Law and developing policies to promote the 2007 Law.

It is important that companies operating in the DIFC are aware of, and comply with, their obligations under the 2007 Law and that they have adequate policies and procedures in place to protect themselves and the personal data that they process.

Clyde & Co will be publishing a bulletin on data breaches in the UAE and the DIFC in the near future.