Data Protection in UAE - Dubai (DIFC)

Transfer in UAE - Dubai (DIFC)

As per Article 26 DPL, Personal Data may be transferred out of the DIFC:

  • to a country or jurisdiction that has been determined to have adequate protections (available on the DIFC Commissioner for Data Protection website); or
  • if it takes place in accordance with Article 27 DPL. 

Article 27 DPL provides that:

A transfer or a set of transfers of Personal Data to a Third Country (i.e. Anywhere other than the DIFC, including onshore UAE) or an International Organisation (as defined within the DPL) may take place on condition that:

  • the Controller or Processor in question has provided appropriate safeguards (as described in Article 27(2), set out below)), and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available;
  • one of the specific derogations in Article 27(3) (set out below) applies; or
  • the limited circumstances in Article 27(4) (set out below) apply. 

Article 27 (2) DPL provides that the appropriate safeguards referred to at (a) above may be provided for by:

  • a legally binding instrument between public authorities;
  • Binding Corporate Rules (i.e. Personal Data protection policies and procedures, aggregated or incorporated in a single written document, which regulate the transfer of Personal Data between members of a Group, legally bind such members to comply, and which contain provisions for the protection of such Personal Data);
  • standard data protection clauses adopted by the Commissioner (available on the DIFC website); The DIFC SCCs are a synthethised set of SCCs modelled on the EU Model Clauses and UK IDTA. They do not however take a modular approach;
  • an approved code of conduct pursuant to Article 48 together with binding and enforceable commitments of the Controller or Processor in the third country or the International Organisation to apply the appropriate safeguards, including regarding a Data Subject’s rights; or
  • an approved certification mechanism pursuant to Article 50 DPL together with binding and enforceable commitments of the Controller or Processor in the Third Country or the International Organisation to apply the appropriate safeguards, including regarding Data Subjects' rights. 

Article 27 (3) DPL sets out the following derogations:

  • a Data Subject has explicitly consented to a proposed transfer, after being informed of possible risks of such transfer due to the absence of an adequacy decision or appropriate safeguards;
  • the transfer is necessary for the performance of a contract between a Data Subject and Controller or the implementation of pre-contractual measures taken in response to the Data Subject's request;
  • the transfer is necessary for the conclusion or performance of a contract that is in the interest of a Data Subject between a Controller and a third party;
  • the transfer is necessary for reasons of Substantial Public Interest;
  • the transfer is necessary or legally required in the interests of the DIFC, including in the interests of the DIFC Bodies relating to the proper discharge of their functions;
  • the transfer is necessary for the establishment, exercise or defence of a legal claim;
  • the transfer is necessary in order to protect the vital interests of a Data Subject or of other persons where a Data Subject is physically or legally incapable of giving consent;
  • the transfer is made in compliance with applicable law and data minimisation principles from a register that is:
    • intended to provide information to the public; and
    • open for viewing either by the public in general or by any person who can demonstrate a legitimate interest;
  • subject to Article 28 DPL (which sets out the requirements for data sharing with public authorities), the transfer is:
    • necessary for compliance with any obligation under applicable law to which the Controller is subject;
    • made at the reasonable request of a regulator, police or other government agency or competent authority;
  • the transfer is subject to international financial standards, the transfer is necessary to uphold the legitimate interests of a Controller recognised in international financial markets, except where such interests are overridden by the legitimate interests of the Data Subject relating to the Data Subject's particular situation; or
  • the transfer  is necessary to comply with applicable anti-money laundering or counter-terrorist financing obligations that apply to a Controller or Processor or for the prevention or detection of a crime. 

Article 27(4) DPL provides that where a transfer could not be based on one of the aforementioned bases (including those at (a) –(k) (thereby making data transfers more flexible under the DPL), such transfer to a Third Country or an International Organisation may take place only if:

  • the transfer is not repeating or part of a repetitive course of transfers;
  • concerns only a limited number of Data Subjects;
  • is necessary for the purposes of compelling legitimate interests pursued by the Controller that are not overridden by the interests or rights of the Data Subject; and
  • the Controller has completed a documentary assessment of all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of Personal Data. 

Under such circumstances the Controller is required to inform the Commissioner of any such transfer and to inform the Data Subject of the transfer and the compelling legitimate interests.

Back to top