The rise of Data Protection Officers (DPO) in the Dubai International Financial Centre (DIFC)

By Dr Lena El-Malak, Vincent Rezzouk-Hammachi, Gabriel Voisin, Alex Willan

06-2020

How the new DPO role in DIFC compares with the European concept of DPOs 

The new DIFC's data protection legislation (DIFC Law No. 5 of 2020) was enacted on 1 June 2020 (“DIFC Law”). This new legislation repeals and replaces Data Protection Law No.1 of 2007 and all related Regulations. The DIFC Law will be effective from 1 July 2020, and DIFC registered businesses will have until 1 October 2020 to comply with it. 

As summarised in a previous Bird & Bird article, the DIFC Law includes various provisions inspired by the GDPR and places more accountability on organisations, which includes appointing a DPO in certain situations. We have set out below a comparison of the DPO role under the GDPR and the DIFC Law. 

The tables below are also available in PDF.

Fundamental  GDPR   DIFC Law
     Designation of a DPO    
When is an organisation required to approach a DPO?  

 Art. 37(1)

A controller or a processor must appoint a must appointed a DPO where:

(i) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(ii) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(i) the core activities of the controller or the processor consist of processing on a large scale of special categories of data or data relating to criminal convictions and offences

 

✓ Art. 16(2)

A DPO must be appointed:

(i) DIFC Bodies, other than the Courts acting in their judicial capacity; and

(ii) A Controller or Processor performing High Risk Processing Activities on a systematic or regular basis.

 

         
The DPO must notably have sufficient knowledge of data protection law and requirements   ✓ Art. 37(5)   ✓ Art. 17(1)
         
Even if an organisation is not required to appoint a DPO, they may be required to appoint a DPO by the relevant data protection authority   

 ✓ NO

Pursuant article 58(2) (d) of the GDPR, supervisory authorities can to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period.

  ✓ Art. 16(3)
         
The DPO can be a member of staff, employee of the group or be outsourced to a third-party provider  

 ✓ Art. 37(6)

However there may be certain limitations applicable to certain employees given their management roles within the organisation.

  ✓ Art. 16(5)
         
A group of undertakings may appoint a single data protection officer    ✓ Art. 37(2)    ✓ Art. 16(6)
         
Residency criteria of the DPO   No, the GDPR is silent on this point. However, the Working Party 29 (WP29) adopted[1] guidelines recommending that the DPO should be located within the European Union.   

 ✓ Art. 16(7)

The DPO must reside in the UAE unless they are an individual employed within the organisation's Group and performs a similar function for the Group on an international basis.

         
The organisation must publish the contact details of the DPO     ✓ Art. 37(7)    ✓ Art. 16(8)
         
The organisation must communicate contact details of the DPO with the data protection authority    ✓ Art. 37(7)     ✓ Art. 16(8)

Only upon request from the data protection authority

 

         
 Position of the DPO    
         
The DPO should perform their duties and tasks
in an independent manner, and be able to act
on their own authority
   Art. 38(3)/Recital 97)   ✓ Art. 17(2)(b) 
         
The DPO should have direct access and report to
top management
  ✓  Art. 38(3)   ✓ Art. 17(2)(c)
         
The DPO should have sufficient resources to perform
their duties in an effective, objective and independent manner 
   Art. 38(2)   ✓ Art. 17(2)(d)
         
The DPO should have access to personal data and
processing operations  within the  organisation to
carry out their duties and responsibilities
   Art. 38(2)   ✓ Art. 17(2)(e)
         
The DPO may hold other roles or titles within
the organisation or within each such
group, and may fulfil additional tasks and duties
 

✓ Art. 38(6)

However there may be certain limitations 
applicable to certain employees given their management
roles within the organisation.

  ✓ Art. 17(4)
         
The DPO should not be dismissed or penalised by the
organisation for performing their tasks
  ✓ Art. 38(3)    N/A
         
The DPO can be found liable personally if their
advice lead to a situation of non-compliance
of the organisation they represent
  ✓  N/A    N/A
         
Role of the DPO
         
The DPO should be properly involved in a timely manner, on all issues relating to the protection of personal data   ✓ Art. 38(1)     ✓ Art. 18(1)(a)
         
Any additional tasks and duties fulfilled by the DPO do not result in a conflict of interest   ✓ Art. 38(6)    Art. 18(1)(c)
         
Data subjects may contact the DPO with regard to all issues related to processing of their personal data and the exercise of their rights   ✓ Art. 38(4)    Art. 18(2)
         
Annual review of the organisations processing activities   No, the GDPR is silent on this point. However, the EDPB guidelines recommend that the production of an annual report  

 Art. 19

Where a controller is required to appoint a DPO, the DPO must undertake an assessment of the controller's processing activities, at least once per year ("the Annual Assessment"), which shall be submitted to the data protection authorities. 

This requirement does not seem to be applicable to processing activities undertaken by a data processor.

         


What can the DPO help with?

The DPO must be independent and should act in a position which does not raise any conflict of interest.

The DPO is the point of contact between data protection authorities and individuals on the one hand, and the organisation which appointed them on the other hand. The role of a DPO consists f monitoring compliance and advising businesses on data protection initiatives. This includes:

  • Monitoring an organisation's compliance with the law and any other data protection or privacy-related laws or regulations to which the organisation is subject within the DIFC;
  • Providing support to ensure that the relevant policies and procedures are adhered to, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;  
  • Informing and providing advice to organisations and its employees who carry out processing of its obligations;
  • Advising on issues relating to data protection impact assessments and how to comply with requirements; 
  • Advising on personal data breaches (best practice); and
  • Cooperating with the data protection authorities and act as a point of contact in case of queries.

What are the next steps? 

The DIFC Law will leave many of the DIFC's registered businesses questioning whether they should appoint a DPO, particularly when the failure to appoint one if mandated by the DIFC Law could result in a fine of $50,000.

DIFC organisations falling under the requirement to appoint a DPO should appoint one before 1 October 2020.

If you wish to know more about DPO, Bird & Bird's outsourced DPO service, please contact Vincent Rezzouk-Hammachi for more information. 

 

Join our webinar on Wednesday 24 June to learn more about the role of a DPO, their position within an organization as well as local (DIFC) and European requirements for their appointment. Click here to RSVP.

 


[1] Guidelines on Data Protection Officers (“DPOs”), WP 243 rev.01