The rise of Data Protection Officers (DPO) in the Dubai International Financial Centre (DIFC)
How the new DPO role in DIFC compares with the European concept of DPOs
The new DIFC's data protection legislation (DIFC Law No. 5 of 2020) was enacted on 1 June 2020 (“DIFC Law”). This new legislation repeals and replaces Data Protection Law No.1 of 2007 and all related Regulations. The DIFC Law will be effective from 1 July 2020, and DIFC registered businesses will have until 1 October 2020 to comply with it.
As summarised in a previous Bird & Bird article, the DIFC Law includes various provisions inspired by the GDPR and places more accountability on organisations, which includes appointing a DPO in certain situations. We have set out below a comparison of the DPO role under the GDPR and the DIFC Law.
The tables below are also available in PDF.
| Fundamental | GDPR | DIFC Law | ||
| Designation of a DPO | ||||
| When is an organisation required to approach a DPO? |
✓ Art. 37(1) A controller or a processor must appoint a must appointed a DPO where: (i) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; |
✓ Art. 16(2) A DPO must be appointed: (i) DIFC Bodies, other than the Courts acting in their judicial capacity; and (ii) A Controller or Processor performing High Risk Processing Activities on a systematic or regular basis.
|
||
| The DPO must notably have sufficient knowledge of data protection law and requirements | ✓ Art. 37(5) | ✓ Art. 17(1) | ||
| Even if an organisation is not required to appoint a DPO, they may be required to appoint a DPO by the relevant data protection authority |
✓ NO Pursuant article 58(2) (d) of the GDPR, supervisory authorities can to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period. |
✓ Art. 16(3) | ||
| The DPO can be a member of staff, employee of the group or be outsourced to a third-party provider |
✓ Art. 37(6) However there may be certain limitations applicable to certain employees given their management roles within the organisation. |
✓ Art. 16(5) | ||
| A group of undertakings may appoint a single data protection officer | ✓ Art. 37(2) | ✓ Art. 16(6) | ||
| Residency criteria of the DPO | No, the GDPR is silent on this point. However, the Working Party 29 (WP29) adopted[1] guidelines recommending that the DPO should be located within the European Union. |
✓ Art. 16(7) The DPO must reside in the UAE unless they are an individual employed within the organisation's Group and performs a similar function for the Group on an international basis. |
||
| The organisation must publish the contact details of the DPO | ✓ Art. 37(7) | ✓ Art. 16(8) | ||
| The organisation must communicate contact details of the DPO with the data protection authority | ✓ Art. 37(7) | ✓ Art. 16(8)
Only upon request from the data protection authority
|
||
| Position of the DPO | ||||
| The DPO should perform their duties and tasks in an independent manner, and be able to act on their own authority |
✓ Art. 38(3)/Recital 97) | ✓ Art. 17(2)(b) | ||
| The DPO should have direct access and report to top management |
✓ Art. 38(3) | ✓ Art. 17(2)(c) | ||
| The DPO should have sufficient resources to perform their duties in an effective, objective and independent manner |
✓ Art. 38(2) | ✓ Art. 17(2)(d) | ||
| The DPO should have access to personal data and processing operations within the organisation to carry out their duties and responsibilities |
✓ Art. 38(2) | ✓ Art. 17(2)(e) | ||
| The DPO may hold other roles or titles within the organisation or within each such group, and may fulfil additional tasks and duties |
✓ Art. 38(6) |
✓ Art. 17(4) | ||
| The DPO should not be dismissed or penalised by the organisation for performing their tasks |
✓ Art. 38(3) | ✓ N/A | ||
| The DPO can be found liable personally if their advice lead to a situation of non-compliance of the organisation they represent |
✓ N/A | ✓ N/A | ||
| Role of the DPO |
||||
| The DPO should be properly involved in a timely manner, on all issues relating to the protection of personal data | ✓ Art. 38(1) | ✓ Art. 18(1)(a) | ||
| Any additional tasks and duties fulfilled by the DPO do not result in a conflict of interest | ✓ Art. 38(6) | ✓ Art. 18(1)(c) | ||
| Data subjects may contact the DPO with regard to all issues related to processing of their personal data and the exercise of their rights | ✓ Art. 38(4) | ✓ Art. 18(2) | ||
| Annual review of the organisations processing activities | No, the GDPR is silent on this point. However, the EDPB guidelines recommend that the production of an annual report |
✓ Art. 19 Where a controller is required to appoint a DPO, the DPO must undertake an assessment of the controller's processing activities, at least once per year ("the Annual Assessment"), which shall be submitted to the data protection authorities. This requirement does not seem to be applicable to processing activities undertaken by a data processor. |
||
What can the DPO help with?
The DPO must be independent and should act in a position which does not raise any conflict of interest.
The DPO is the point of contact between data protection authorities and individuals on the one hand, and the organisation which appointed them on the other hand. The role of a DPO consists f monitoring compliance and advising businesses on data protection initiatives. This includes:
- Monitoring an organisation's compliance with the law and any other data protection or privacy-related laws or regulations to which the organisation is subject within the DIFC;
- Providing support to ensure that the relevant policies and procedures are adhered to, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- Informing and providing advice to organisations and its employees who carry out processing of its obligations;
- Advising on issues relating to data protection impact assessments and how to comply with requirements;
- Advising on personal data breaches (best practice); and
- Cooperating with the data protection authorities and act as a point of contact in case of queries.
What are the next steps?
The DIFC Law will leave many of the DIFC's registered businesses questioning whether they should appoint a DPO, particularly when the failure to appoint one if mandated by the DIFC Law could result in a fine of $50,000.
DIFC organisations falling under the requirement to appoint a DPO should appoint one before 1 October 2020.
If you wish to know more about DPO, Bird & Bird's outsourced DPO service, please contact Vincent Rezzouk-Hammachi for more information.
Join our webinar on Wednesday 24 June to learn more about the role of a DPO, their position within an organization as well as local (DIFC) and European requirements for their appointment. Click here to RSVP.
[1] Guidelines on Data Protection Officers (“DPOs”), WP 243 rev.01
