DIFC Data Protection Law
United Arab Emirates2020PrivacyOverview
The Dubai International Financial Centre (DIFC) Data Protection Law, enacted in 2020, aligns with global standards such as the EU GDPR. It regulates the collection, processing, storage, and transfer of personal data within the DIFC, ensuring privacy, accountability, and transparency.It applies to all DIFC-registered entities, including banks, financial institutions, fintechs, asset managers, insurers, law firms, and corporate service providers. The law provides individuals with enhanced data rights and sets strict obligations for controllers and processors.
Key Obligations
- Process data lawfully, fairly, and for specified purposes
- Obtain explicit consent where required
- Grant data subjects rights: access, correction, erasure, restriction, and portability
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
- Appoint a Data Protection Officer (DPO) where necessary
- Notify the DIFC Commissioner of data breaches without undue delay
- Restrict cross-border transfers unless adequate safeguards exist
- Maintain processing records and adopt technical/organizational safeguards
Stay ahead of risk with Signzy
Explore tools that help you onboard, monitor, and verify with confidence
Related Regulations
FAQ
Who enforces this law?
The DIFC Commissioner of Data Protection.
Does it apply outside DIFC?
No. It only applies to entities incorporated, registered, or licensed in the DIFC free zone.
Are breach notifications mandatory?
YYes. Controllers must notify the Commissioner and, in high-risk cases, the affected individuals.
What penalties apply for non-compliance?
Administrative fines up to USD 100,000 and other regulatory sanctions.