Personal data has become one of the most valuable business assets today and, at the same time, one of the most sensitive sources of legal liability for organisations. Every name, phone number, email address and transaction record falls under a strict regulatory framework that obliges companies to protect what they collect and grants individuals real control over their data. Within the Dubai International Financial Centre, the Data Protection Law sets out a comprehensive framework that balances the free flow of information and business needs on one hand, with the fundamental rights of data subjects on the other. In this article we explain the key obligations of companies and the rights afforded to individuals under this law, in practical terms that help organisations and individuals understand their legal position.
What Are Companies' Obligations and Individuals' Rights Under the DIFC Data Protection Law?
Scope of the Law and Who Is Subject to It
The Data Protection Law was issued by the Dubai International Financial Centre and came into force to repeal and replace the previous legislation, and has since been updated in its consolidated version following the latest amendments. The law aims to provide standards and controls for the processing and free movement of personal data, and to protect the fundamental rights of data subjects, including how those rights apply to emerging technologies.
The law applies to:the processing of personal data by automated means, and by non-automated means where the data forms part of a structured filing system; to any controller or processor incorporated in the DIFC regardless of where processing takes place; and to any processing carried out within the DIFC regardless of the place of incorporation.
The law does not apply to:the processing of personal data by natural persons in the course of a purely personal or household activity with no connection to a commercial purpose. Enforcement of the law is overseen by the Commissioner of Data Protection within the Centre, who holds supervisory, investigative and sanctioning powers.
The General Principles Governing Data Processing
The law requires every company that processes personal data to comply with a set of core principles and to be able to demonstrate compliance to the Commissioner. These principles are the backbone of compliance:
Lawfulness & Transparency
Data is processed lawfully, fairly and transparently in relation to the data subject.
Purpose Limitation
Collected for specified, explicit and legitimate purposes set at the time of collection, and not used incompatibly with them.
Data Minimisation
Limited to what is relevant and necessary for the purpose, without unjustified expansion.
Accuracy
Accurate and, where necessary, kept up to date, with rectification or erasure without undue delay.
Storage Limitation
Kept in a form that identifies the data subject only for as long as necessary for the purpose.
Security & Accountability
Kept secure with appropriate technical and organisational measures; the controller bears the burden of demonstrating compliance.
A Lawful Basis: No Processing Without Grounds
A company may not process any personal data unless it relies on at least one of the lawful bases exhaustively defined by the law:
Consentthe data subject's consent for specific purposes
Contractnecessary to perform a contract the subject is party to
Legal Obligationcompliance with applicable law
Vital Interestsprotecting the life of the subject or another person
Public Interesta DIFC body's task in the interest of the Centre
Legitimate Interestsunless overridden by the subject's rights
Special categories of data: sensitive data is subject to additional conditions and may not be processed except in specific cases, such as explicit consent, what is necessary for employment-related purposes, the protection of vital interests, or reasons of substantial public interest proportionate to the aim pursued.
Company Obligations (Controller and Processor)
Valid Consent
Where consent is the basis, it must be freely given through a clear affirmative act that unambiguously indicates agreement, and the company must be able to demonstrate it was obtained and manage its withdrawal, with periodic re-affirmation for ongoing processing.
Accountability & Protection by Design
The company must implement appropriate technical and organisational measures and adopt the principle of "data protection by design and by default", so that, by default, only the data necessary for each purpose is processed, registering with the Commissioner where the law so requires.
Records of Processing Activities
The controller and processor maintain a written record of processing activities including the categories of data subjects, categories of data and categories of recipients, any transfers to third countries or international organisations with their safeguards, erasure timeframes and a general description of security measures where possible.
Data Protection Officer (DPO)
A DPO must be appointed by DIFC bodies and by any controller or processor performing "high-risk processing activities" on a systematic or regular basis. The officer must have the requisite competence and independence, with direct access to senior management, and conducts an annual compliance assessment.
Impact Assessment & Prior Consultation
Before high-risk processing, the company carries out a data protection impact assessment analysing the risks to individuals' rights and the measures to address them, and may consult the Commissioner in advance, while complying with any direction issued as a result of that consultation.
Processors & Transfers Out of the Centre
Dealings with processors are governed by a binding written agreement defining responsibilities, confidentiality duties and sub-processor controls. Data may only be transferred out of the DIFC to a destination offering an adequate level of protection, or subject to appropriate safeguards where such adequacy is absent.
Cessation of Processing & Transparent Notice
When the purpose no longer exists or consent is withdrawn, the company must cease processing and delete, anonymise, pseudonymise or encrypt the data or put it beyond further use, and provide individuals with clear information about how their data is processed through privacy notices.
Individuals' Rights Over Their Personal Data
The law grants the data subject a set of enforceable rights, and the company must provide at least two methods for exercising them:
Withdraw Consent
An absolute right to withdraw consent at any time where it is the basis for processing.
Access, Rectification & Erasure
Obtain confirmation and a copy of the data and have it rectified or erased, free of charge and within one month of the request.
Object to Processing
Object to particular processing; the objection is deemed justified unless the company demonstrates compelling grounds overriding the individual's rights.
Restriction of Processing
Request restriction in cases such as a dispute over data accuracy or unlawful processing.
Data Portability
Receive the data in a portable format and have it transmitted directly to another party where technically feasible.
Automated Decisions & Profiling
Object to any decision based solely on automated processing producing legal or seriously significant effects, and request manual review.
Non-Discrimination
Not to be treated less favourably merely for exercising the rights conferred by the law.
Notification of Recipients
The controller must notify recipients when data is rectified, erased or restricted.
Notification of Personal Data Breaches
Notifying the CommissionerWhere a breach compromises a data subject's confidentiality, security or privacy, the controller notifies the Commissioner as soon as practicable, describing the nature of the breach, its likely consequences and the measures taken to address it. A processor notifies the controller without undue delay.
Notifying the Data SubjectWhere the breach is likely to result in a high risk to the individual's security or rights, the controller communicates it to the affected individual as soon as practicable, and promptly where there is an immediate risk of harm, in clear language with recommendations to mitigate the effects. Breaches must also be documented in writing.
Sanctions, Liability and the Right to Compensation
The Commissioner has the power to issue directions and impose administrative fines on infringers under the schedule of sanctions annexed to the law, alongside a general fining power. The following are examples of the maximum fines in US dollars:
$50,000
breaching the general principles, lawful processing requirements or security measures
$75,000
failing to provide individuals with the required processing information
$100,000
breaching individuals' rights such as access, rectification, objection and erasure
Civil liability and a direct right of action: the controller is liable for damage caused by unlawful processing, and the processor is liable where it breaches its obligations or acts outside the controller's instructions, with liability potentially being joint and several to ensure effective compensation. A data subject who suffers damage as a result of a contravention may apply directly to the Court for compensation, in addition to the right to lodge a complaint with the Commissioner.
Legal References
Governing legislation: DIFC Data Protection Law No. 5 of 2020 — Consolidated Version, as amended by the DIFC Laws Amendment Law No. 1 of 2025 and DIFC Law No. 2 of 2022.
Relevant articles: general principles (Article 9), lawfulness of processing (Article 10), special categories (Article 11), consent (Article 12), accountability (Article 14), records of processing (Article 15), the Data Protection Officer (Articles 16–19), impact assessment (Article 20), data transfers (Articles 26–27), provision of information (Articles 29–31), individuals' rights (Articles 32–40), breach notification (Articles 41–42), directions, fines, liability and the private right of action (Articles 59–64A), and the schedule of sanctions (Schedule 2).
“ Data protection compliance is no longer a cosmetic option; it is part of the governance of any organisation operating within the Centre. A company that builds its policies on the principle of protection by design shields itself from fines as much as it protects its clients.
— Lawyer Awadh Almheiri
Need Advice on Data Protection and Compliance?
Our legal team supports organisations and individuals in drafting privacy policies, processing agreements, breach-response procedures, and exercising the rights conferred by law.
AWADH ALMHEIRI LAW FIRM AND LEGAL CONSULTATIONS
Frequently Asked Questions
Who does the DIFC Data Protection Law apply to?+
It applies to the processing of personal data within the DIFC, to any controller or processor incorporated in the Centre regardless of where processing occurs, and to any processing carried out within the Centre regardless of the place of incorporation. It does not apply to a purely personal or household activity unconnected to any commercial purpose.
When must a company appoint a Data Protection Officer (DPO)?+
Appointment is required for DIFC bodies and for any controller or processor performing high-risk processing activities on a systematic or regular basis, and the Commissioner may require other entities to appoint one. The officer must have the requisite competence and independence and direct access to senior management.
How long does a company have to respond to an access request?+
A data subject is entitled to obtain confirmation and a copy of their data free of charge and within one month of the request, subject to cases where the company may restrict the information for reasons specified by law, such as protecting investigations or public security.
What should be done when a data breach occurs?+
The controller notifies the Commissioner as soon as practicable when a breach compromises the confidentiality, security or privacy of data, and informs the data subject where the breach is likely to result in a high risk, while documenting the breach in writing and taking measures to mitigate its effects.
Can an individual claim compensation for a breach of the law?+
Yes. A data subject who suffers damage as a result of a contravention of the law may apply directly to the Court for compensation, in addition to the right to lodge a complaint with the Commissioner, and the liability of the controller and processor may be joint and several to ensure effective compensation.
To assist with your compliance or in exercising your rights, our team is at your service.
Contact Us
AWADH ALMHEIRI LAW FIRM AND LEGAL CONSULTATIONS
Legal Expertise That Protects Your Data and Your Business
✓ Drafting privacy policies and data processing agreements
✓ Breach-response procedures and complaints handling
✓ Representing individuals in exercising their rights
Our legal expertise, at your service
This article is prepared for the purpose of disseminating legal culture and raising community awareness, and does not constitute legal advice or a legal opinion on any specific matter. The legal treatment differs according to the circumstances of each case, and it is therefore advisable to consult a qualified legal advisor before taking any action. Reviewing this content does not create an attorney–client relationship. In the event of any discrepancy between this translation and the Arabic version, the Arabic text shall prevail.
Our Services in Dubai
AWADH ALMHEIRI LAW FIRM AND LEGAL CONSULTATIONS in Dubai provides services to organisations operating within and beyond the Dubai International Financial Centre in matters of personal data protection and privacy compliance, from building governance frameworks and drafting privacy policies and processing agreements, to managing individuals' requests, responding to data breach incidents and dealing with the competent supervisory authorities, in a way that safeguards business reputation and reduces legal exposure.
Our Services Across the Other Emirates
Our services extend to our clients in Abu Dhabi, Sharjah, Ajman, Umm Al Quwain, Ras Al Khaimah and Fujairah, where we support organisations and individuals in understanding their obligations and rights relating to personal data within the regulatory environment of the State, offering practical advice that helps balance business requirements with the protection of individuals' privacy, with close monitoring of any legislative developments affecting this vital field.
العربية
Русский
اردو
中文
Français
