Data Protection in the DIFC Outreach Session Office of Data Protection 4 June 2013 Data Data Protection Protection Data Data Protection Protection Data Protection
Data Protection in the DIFC Outreach Session Office of Data Protection 4 June 2013
Feb 06, 2016
Data Protection. Data Protection in the DIFC Outreach Session Office of Data Protection 4 June 2013. Data Protection. Data Protection. Agenda. 9:00 Welcome note by the Commissioner of Data Protection - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Data Protection in the DIFCOutreach SessionOffice of Data Protection
4 June 2013
Dat
a P
rote
ctio
nD
ata
Pro
tect
ion
Dat
a P
rote
ctio
nD
ata
Pro
tect
ion
Dat
a P
rote
ctio
n
Agenda
9:00 Welcome note by the Commissioner of Data Protection
9.10 An introduction to Data Protection Law - Camelia Quinnell, Legal Counsel, DIFC Authority
9:30 An overview of the eight data protection principles - Tom Butcher, Counsel and Andrew Kenning, Senior Associate Allen & Overy
Q&A session
10:00 Sharing data with regulators - Graham Lovett, Partner, Clifford Chance Q&A session
10:30 Responding to data breaches - Dino Wilkinson, Partner, Norton Rose
Q&A session
11:00 A general overview of the data protection in the region (UAE, Qatar, Oman etc.) - Nick O’Connell, Senior Associate, Al Tamimi & Co.
Q&A session
11.30 Closing remarks by the Commissioner
2
3
Agenda
• Data Protection in the DIFC
• Role of Data Protection Commissioner
• Amendments to the Data Protection Law and
Regulations
4
Data Protection in the DIFC: Evolution & Scope
• The Data Protection Law No. 9 of 2004 (“Data Protection Law”) came into force on 16 September 2004 and was later repealed by Data Protection Law No. 1 of 2007.
• The Data Protection Law now applies to ALL DIFC registered entities, both regulated and non-regulated, that may process personal data to carry out their business activities, including Authorised Firms, Authorised Market Institutions and Ancillary Service Providers, and all other entities including sole traders, hotels, shops, restaurants etc. and all individuals.
• The Data Protection Regulations came into force on 15 February 2007.
• The latest amendments to the Data Protection Law and Regulations came into effect in December 2012.
DIFC Law No. 9 of 2004 Administered by DFSA
DIFC Law No.1 of 2007Administered by DIFCA
5
Data Protection in the DIFC
DIFC Data Protection Legislation:
• Embodies international best practice standards, and is consistent with the 95/46 EU directive and OECD guidelines on privacy & data protection.
• Is designed to balance the legitimate needs of businesses to process personal information while upholding an individual’s right to privacy.
•DIFC is the only jurisdiction in the region with an established Data Protection regime compliant with EU standards.
6
The Data Protection legislation has 2 main functions:
1. Confers rights to an individual in relation to how their personal data is processed; and
2. Places obligations on those who process an individual’s personal information.
DP legislation in the DIFC: main functions
7
Processing of Personal Data in the DIFC
Personal data may only be processed if there is:• written consent of the data subject;• it is necessary for the performance of a contract to which the data subject is
party; • it is necessary for compliance with a legal obligation; OR• it is necessary to protect the vital interests of the data subject.
Data Controllers must ensure that Personal Data which they process is:• Processed fairly, lawfully and securely;• Processed for specified, explicit and legitimate purposes ;• Adequate, relevant and not excessive in relation to the purposes for which it
is collected and/or further Processed; • Accurate and, where necessary, kept up to date; and • Kept in a form which permits identification of Data Subjects for no longer than
is necessary for the purposes for which the Personal Data was collected.
Every reasonable step must be taken by data controllers to ensure that inaccurate or incomplete personal data must be erased or rectified.
8
Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations
Bringing the Data Protection Law in line with international best practices
The definition of “Personal Data” in the Defined Terms of the Law has been amended to include reference to “Data” instead of “information”.
A new definition of “Data” has also been proposed, which includes reference to “Relevant Filing Systems”.
Data that either refers to individuals, or to criteria relating to any individuals, will be captured in such a way that specific information about that individual is readily accessible.
9
Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations
It is important to note that, if we are able to identify an individual partly on the Data held and partly on other information, the Data held will still be viewed as “Personal Data”.
.Example:
An organisation holds data about its investors in an electronic format. The electronic database does not make references to names of individuals, it only bears unique reference numbers which can be matched to a card index system to identify the individuals concerned. That information held electronically is Personal Data
10
Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations
Article 38 General Exemptions
Article 38 is a new Article which empowered the DIFCA Board of Directors to make Regulations exempting Data Controllers from compliance with the Law or any parts of it. Currently, the exempted Data Controllers are the DFSA, DIFCA and the Registrar of Companies.
This exemption is limited to those instances where the exempted Data Controllers are exercising their powers and functions as prescribed in relevant legislation that they administer, including any powers or functions delegated to them. The ability of the DFSA, DIFCA and the Registrar of Companies to effectively perform their supervisory and enforcement powers is regarded as being of critical importance to the reputation of the DIFC as an international financial centre.
This amendment is in line with the data protection regimes adopted in other recognised international financial jurisdictions, where similar public authorities are exempt from certain data protection requirements.
11
Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations
Ensuring the register is comprehensive and kept up-to-date
Article 21 Duty to notify changes
Article 21 is a new Article which makes the Data Controller responsible for notifying the Commissioner of Data Protection of any changes to its registrable particulars.
It will be an offence for a Data Controller to fail to notify the Commissioner of Data Protection of changes to its register entry.
Regulation 6.4 provides that such notification must be given as soon as possible and in any event within a period of 14 days from the date upon which the entry becomes inaccurate or incomplete as a statement of the Data Controller’s registrable particulars.
12
Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations
Introduction of a system of fines and fees
Articles 35 (General contravention), 36 (Administrative imposition of fines) and 39 (Fees)
The amendments to implement the framework of contraventions, fines and fees are set out in new Articles 35 (General contravention), 36 (Administrative imposition of fines) and 39 (Fees).
The inclusion of a system of fees payable to the Commissioner of Data Protection, as well as a system of fines for contraventions, form a major part of the amendments to the Data Protection Law and Regulations.
Previously, there were no provisions relating to contraventions and the administrative imposition of fines. Such changes were essential in order for the DIFC Commissioner of Data Protection to properly administer the Law and exercise his powers and functions in an effective manner.
13
Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations
Regulation 7.1 is the key operative provision setting out how the new system of fines will operate.
A table of the fees is set out in Appendix 1 to the Data Protection Regulations
A table of the fines and what triggers the requirement to pay a fine is set out in Schedule 2 to the Data Protection Law.
14
Data Protection in the DIFC: Fines
Table of Fines
Nature of Administrative Offense and Maximum Fine
Failure to register with the Office of DP Commissioner $25,000
Failure to notify Commissioner of any amendments in personal data operations
$5,000
Failure to comply with requirements for legitimate processing specified under Article 9 of the Law made for the purpose of this Law
$15,000
Company transferring personal data outside the DIFC without obtaining permit
$20,000
Failing to implement and maintain technical and organisational measures to protect Personal Data in accordance with Articles 16(1) and 16(2) of the Law made for the purpose of this Law
$10,000
Company processing sensitive personal data without obtaining permit $10,000
Failure to comply with a direction or order from the Commissioner $15,000
15
Thank you
Data Protection at the DIFC
Related Documents
