Data Protection in UAE - Dubai (DIFC)

Enforcement in UAE - Dubai (DIFC)

The Commissioner has general powers to investigate and conduct inspections where it suspects that a Controller or Processor is not operating within the law.

Where it concludes that the Controller or Processor is not acting in compliance with the DPL, it has the power to:

  • order it  to do or refrain from doing any act or thing within such time as may be specified in the direction;
  • order it to refrain from Processing any Personal Data specified in the direction or to refrain from Processing Personal Data for a purpose or in a manner specified in the direction;
  • issue an administrative fine in an amount he considers appropriate but not exceeding the amount specified in Schedule 2 in respect of each contravention. The fines range from USD 10,000 to USD 100,000 and there are around 35 in total; and / or
  • issue a general fine in an amount he considers appropriate and proportionate, taking into account the seriousness of the contravention and the risk of actual harm to any relevant Data Subject. 

There is also a process built into the DPL and the DPRs for disputing any action taken by the Commissioner, with an ultimate right to challenge any action in court (Article 63 DPL).

Under the DPL Data Subjects also have the right to bring a claim for compensation where they suffer “material or non-material damage” by reason of any contravention of the law.

The DPL also contains provisions allowing Data Subjects to make compensation claims in relation to contraventions of the data protection law. Under the DPL, court proceedings can be initiated by the Commissioner as well as by Data Subjects.

The Commissioner has recently begun to publish certain limited information on its investigations and enforcement activities, including published decisions on infringements, which are available upon the DIFC website.

Continue reading

  • no results

Previous topic
Back to top