In an era of increased globalization and electronic advances, information has never been more readily available and transmittable. Businesses and international banking and financial services organizations, are increasingly exchanging personal data electronically and across borders.

Personal Data includes any information relating to an individual’s name, age, home address, race, sexual orientation, income, health, blood type, marital status, education, and employment information is internationally considered as Sensitive Personal Data. The result of the processing and mishandling –voluntary or involuntary- of personal data can have significant consequences, including credit card and identity theft. It is crucial that individuals’ right to privacy is protected by establishing effective data protection laws and enforcing legal safeguards to secure and protect personal data and its processing. Today governments and regulators world-wide, with the EU countries in the fore-front, are increasingly calling for measures to protect privacy and the adoption of data protection regimes to enforce such safeguards.  

The Office of the Data Protection Commissioner was established under the Data Protection Law of 2007 (DIFC Law No. 1 of 2007) as a neutral and objective body to ensure the protection of all personal information in the DIFC. The legislation creates a legal and procedural framework which ensures that all personal data in the DIFC is treated fairly, lawfully and securely when it is stored, processed, used, disseminated or disclosed. DIFC Law No.1 of 2007 expands on and replaces the data protection regime previously administered by DFSA.

Under the new DP Law of 2007 all entities both regulated and unregulated are required to register with the Office of the DP Commissioner. This requirement was not being implemented under the DP Law enacted in 2004. and administered by the DFSA.

The DIFC DP Law of 2007 encompasses and applies to regulated entities, including all banks and financial institutions, as well as non-regulated organizations that may process personal data to carry out their business activities. 

Benefits of Registration to Individuals:

• Protects and raises awareness of individuals’ rights to privacy and confidentiality  
• Promote openness, transparency and disclosure, in the use of personal information and helps individuals understand how their personal information is being processed by data controllers
• Allows individuals to request the correction of individual and/or personal information being processed.

Benefits of Registration to Companies:

• Registration will ensure that personal data are processed in accordance with the fundamental respect for the right to privacy and confidentiality without hindering the flow of data. Please see the Eight Principles relating to the processing of personal data embodied in the DIFC DP Law.
• Requires companies (i.e. data controllers) to be transparent and open about their data processing activities as well as take necessary measures to correct the gaps in their security structures, from a business, technical and a legal standpoint.
• One of the critical areas where data protection is relevant is business processing operations and outsourcing. Activities such as insurance claims management and payment processing activities typically handle and process large amounts of personal data. More recently offshore outsourcing has been under much scrutiny for failing to address data protection issues. With established safeguards in place, this will help in facilitating activities related to back office functions that are essential for the operation of banks and financial institutions.
• By obtaining acceptance on the adequacy of its data protection regime by the EU’s Article 29 Working Party. This will facilitate the transfer of data to and from the DIFC and ensure banks and financial institutions registered at the DIFC can carry out their activities with other jurisdictions smoothly and efficiently.