The new Dubai Data Protection law in comparison to the 2007 version has given a lot more emphasis on Compliance.
Article 8 of the old Act and Article 9 of the current Act speaks of the General Requirements. It may be observed that most of the requirements in the 2007 law has been carried over to the 2020 law with the addition of “Transparency”.
Additionally “Lawfulness” has been separately expanded in Article 10 and Accountability and Notification separately explained under Article 14 (2020). Six basis have been identified under “Lawfulness” and “Anyone” of them is considered acceptable. This follows the GDPR model and includes
b) Necessity for performance of a contract in which the Data Subject is a party
c) Necessity for compliance of an applicable law that a “controller is subject to”
d)Necessity for protecting the vital interests of a data subject or of any natural person
e) Necessity for the functioning of DIFC
f) Legitimate interest
The 2020 law also defines genetic and biometric data as additional to the list of special categories defined in the earlier version which requires “Explicit Consent”.
The Consent and Notice has been elaborately covered along with the Accountability. The onus of proving that Consent has been obtained, lies on the Data Controller.
Article 10(1)(f) states that one of the lawful basis on which personal data can be processed includes where
“Processing is necessary for the purpose of legitimate interests pursued by a Controller or a Third Party to whom the Personal Data has been made available, subject to Article 13, except where such interests are overridden by the interests or rights of a Data Subject.
Article 13 on the other hand states
(1) A public authority subject to DIFC law may not rely on the basis of legitimate interests under Article 10(1)(f) to Process Personal Data.
(2) A Controller that is part of a Group may have a legitimate interest in transferring Personal Data within its Group for internal administrative purposes.
(3) Processing of Personal Data shall be considered a legitimate interest of a Controller if it is necessary and proportionate to prevent fraud or ensure network and information security.
In terms of compliance therefore, a Data Controller should always look for “Consent” and when in doubt bring the processing into the legitimate interest argument preferably by an appropriate internal documentation.
One of the areas of emphasis in the new version of the law is Accountability of the Data Controller. The Controller needs to establish data protection by design and default taking into account the risk assessment and establishing a compliance program. The law repeatedly emphasizes “Proportionality” in respect of data collection to the purpose of collection.
Article 14(7) states
“A Controller or Processor shall register with the Commissioner by filing a notification of Processing operations, which shall be kept up to date through amended notifications.”
Article 14(8) also states that the above notification shall be kept in a publicly available register maintained by the Commissioner.
This provision has similarity to the Indian provision of “Privacy by design policy” being filed with the DPA and is a significant change to be noted.
(To Be continued…)