Dubai: DIFC Data Protection Law

February 13, 2013

The DIFC Data Protection Law Amendment Law (DIFC Law No. 5 of 2012) (the ‘Amendment Law’) was enacted on 23 December 2012. It amends the existing DIFC Data Protection Law No.1 of 2007 (the ‘Law’) and the Data Protection Regulations (the ‘Regulations’). 

The Dubai International Financial Centre (DIFC) is a federal free zone in Dubai, UAE, with the authority to self-regulate in civil and commercial areas. It is one of very few jurisdictions in the Middle East to have implemented a specific data protection regime to ensure proper treatment of data relating to identifiable individuals, which is administered by the DIFC Commissioner of Data Protection (the ‘Commissioner’).

The purpose of the Amendment Law is to ensure that the Law and Regulations are consistent with international data protection regimes (particularly the EU Data Protection Directive) and to enable increased transparency, efficiency and effectiveness in the exercise of the Commissioner’s powers.

The key changes to the Law and Regulations are as follows.


Under the Law, a person who processes personal data (a ‘Data Controller’) shall ‘file a notification’ annually with the Commissioner in accordance with the Regulations. The Regulations appear on their face to provide for the filing of such notifications in relatively limited circumstances but, in practice, the Commissioner requires Data Controllers to file a general notification in respect of all their data processing activities.

The Amendment Law includes a new provision requiring Data Controllers to notify the Commissioner of any changes to their data processing activities within 14 days of the change(s) occurring, together with payment of the applicable fees.


It is now expressly provided that a Data Controller may not contravene the Law by any act or omission that is not compliant with the Law or the Regulations.  Further, it is now provided that if the Commissioner considers that a Data Controller has failed to comply with a direction issued by the Commissioner, the Commissioner may apply to the DIFC Court for an order directing compliance and the payment of costs.


The Commissioner may impose fines on Data Controllers for certain contraventions. The contraventions for which the Commissioner may impose a fine and the corresponding maximum fines are set out in a new Schedule 2 to the Law. The maximum fines range from US$5,000 to US$25,000 depending on the relevant contravention.

Definition of ‘Personal Data’

The Law governs the processing of personal data referring to a living person who can be identified from that information (‘Personal Data’). The definition of ‘Personal Data’ now covers any of the foregoing information which is or is to be processed by automatic means or which is or is to be recorded as part of a ‘Relevant Filing System’. A Relevant Filing System could be any filing system where specific information relating to a particular individual is readily accessible. 

This amendment should ensure that Data Controllers only have to provide data subjects with rights of access to Personal Data where that data is processed or organised in such a way that it is realistically searchable and accessible.


The amendments expressly provide that certain fees shall be payable by Data Controllers in accordance with the Regulations. Appendix 1 of the Regulations sets out a table of fees payable to the Commissioner including in relation to notification/registration, renewals and amendments of notifications and permits.


The amendments are not extensive but help to clarify Data Controllers’ practical obligations under the Law. Further, the introduction of a formal system of fines is likely to assist in encouraging increased understanding of and compliance with the Law.

Fiona Tyas is a legal director in the IP and the technology, media and telecoms groups in the Dubai office of Clyde & Co.: