DIFC Summary of Data Protection Law

    United Arab Emirates

    DIFC Summary of Data Protection Law

    DIFC Law No. 1 of 2007

    The DIFC is an independent jurisdiction within Dubai that is governed by a framework of international standards and principles of common law (unlike the UAE) and by an independent judiciary. The DIFC has enacted and amended comprehensive data protection legislation applicable within the DIFC jurisdiction.

    Last Updated: July 30, 2019

  • General

    The DIFC is a financial hub for the Middle East, Africa and South Asia established in 2004 within Dubai. The DIFC is an independent jurisdiction governed by a framework of international standards and principles of common law and an independent judiciary with seven judges from England, Singapore, the UAE and Malaysia.

    The DIFC is empowered to create its own laws for civil and commercial matters. There are two regulators responsible to oversee the strategic development, operational management, planning and administration of laws and regulations. The DIFC authority is the principal governing body and is responsible for legislation and governance of non-financial acts, and the Dubai Financial Services Authority is responsible for regulating the conduct of all financial services and transactions. The DIFC Authority and the ruler of Dubai have put in place a Data Protection Framework that is composed of:

    • Data Protection Law, DIFC Law No. 1 of 2007 and the 2012 and 2018 amendments (“the Law”). This law is based on international Data Protection concepts, requirements and standards. The instrument lays down the lawful criteria for the processing of personal data, which are parallel those found in EU legislation; it confers rights to data subjects (access, rectification, erasure, and blocking) that are similar to those in the EU, and imposes similar obligations on data controllers; it provides a catalogue of principles for the lawful processing of personal data; it creates an independent data protection authority (Commissioner of Data Protection) and regulates the extent of the powers and funding conferred to the Commissioner of Data Protection. 
    • The Data Protection Regulations No.3 of 2018 (“the Regulations”). This is an implementing regulation that lays down specific provisions concerning: requirements and procedures for applications for permits needed for processing special categories of data; application for permits to transfer sensitive data outside the DIFC; requirements of records and notifications as well as timeframe for notifications where no specific provision is laid down in the DIFC Law No.1 of 2007; rules for the imposition of fines as well as the right of objection and corresponding procedure; a mediation process; and, a table of fees (for registration and annual renewal, permits for processing sensitive data and permits for transferring sensitive data outside the DIFC).   
    • The Direct Marketing and Electronic Communications Guidelines of 2019. This document is addressed at controllers and processors established in the DIFC providing practical guidance on applying the rules relating to the processing of personal data for the purpose of direct marketing. This document includes concepts taken from the EU ePrivacy Directive, the GDPR, and the outdated EU Data Protection Directive 95/46/EC.  


    This framework is applicable only within the DIFC to all entities processing personal data. This law applies to all controllers and processors established in the DIFC (regardless of whether the data relates to citizens or residents in the DIFC) and to entities established outside the DIFC who process data of DIFC residents and citizens. The material scope of the law encompasses processing operations carried out manually (which are meant to form part of a filing system), and to processing operations carried out by electronic and/or automatic means.


    Schedule 1 of the Law provides a list of definitions that are relevant for the correct interpretation of the data protection framework:

    • Data – Any information which: (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should be processed by means of such equipment; or (c) is recorded as part of a Relevant Filing System or with the intention that it should form part of a Relevant Filing System.
    • Data controller – Any person in the DIFC who alone or jointly with others determines the purposes and means of the Processing of Personal Data. 
    • Data processor – Any person who Processes Personal Data on behalf of a Data Controller. 
    • Data subject – The individual to whom Personal Data relates.
    • Identifiable natural person – Is any natural living person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity. 
    • Personal data – Any Data referring to an Identifiable Natural Person.
    • Process, processes, processing and processed – Any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. 
    • Recipient – Any person to whom Personal Data is disclosed, whether a Third Party or not. Public authorities that receive personal data as part of a specific inquiry are not to be considered recipients.
    • Relevant filing system – Any set of information relating to an Identifiable Natural Person to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
    • Sensitive personal information – Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life. 
    • Third party – Any person other than the Data Subject, the Data Controller, the Data Processor and the persons who, under the direct control of the Data Controller or the Data Processor, is authorized to Process the Personal Data. 
  • DatabreachPedia


    In Dubai, based on Art. 16 (4) of the DIFC Data Protection Law, it is mandatory for data controllers (or data processors) to notify in case of incidents involving unauthorized intrusion, either physical, electronic, or otherwise, to any personal data database.

    Is it Mandatory to Notify Individuals?

    No, but recommended.

    Is it Mandatory to Notify Regulator?


    Notification Deadline

    As soon as reasonably practicable.

    Responsible Regulator

    Dubai International Financial Centre/DIFC Authority
    The Gate, Level 14, DIFC
    P.O. Box 74777,
    Dubai, UAE
    Tel: +971 (0)4 362 2222

    DIFC Authority (London Office)
    68 Lombard Street
    P.O. Box EC3V 9LJ,
    London, United Kingdom
    Tel: +44 207 868 2811

    Website: https://www.difc.ae/business/operating/data-protection/

    Breach Notification Format

    There is no prescribed content or format for the breach notification to the individuals, however, the DIFC advises notifying through a medium that is appropriate and secure and giving clear and specific advice to individuals on how to protect themselves from the breach consequences. The law also does not prescribe any specific content or format for the breach notification to the KVKK, the contact details above can be used.

    Related Resources

    Breach Notification Law

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.