We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
30 September 2020
To ensure compliance with data protection law, employers in the Dubai International Financial Centre (DIFC) should:
On 1 July 2020 the DIFC Data Protection Law (DIFC Law 5/2020) came into force, with organisations given a three-month grace period until 1 October 2020 to ensure compliance with the new provisions.
The new Data Protection Law makes significant changes to the DIFC's existing data privacy regime, introducing changes to the duties and obligations of employers – in their capacities as data controllers – to their employees when processing their personal data. There are a number of important issues which employers should consider and take action on now.
Where employers process personal data, Article 29 of the Data Protection Law lists the information that they must provide – as a minimum – to their employees. In this context, employers must tell their employees of the lawful grounds for which they are processing their personal data.
As a starting point, employers must process personal data for a legitimate purpose in accordance with Article 9 of the Data Protection Law.
In addition, employers need a lawful basis before they may process personal data and special categories of personal data, with the latter term referring to particularly sensitive forms of personal data to which additional safeguards apply.
Traditionally, employers have relied on employee consent as the lawful ground for processing their personal data; however, employers must now show that consent was freely given in a clear statement of words.
Owing to the power imbalance between employers and employees, the DIFC commissioner of data protection has stated that it can be hard for an employer to prove that the employee consented 'freely' to the processing of their personal data; especially where consent is wrapped up in the terms of the employment contract. This is because employees who have consented to the processing of their personal data must be able to withdraw their consent at any time.
Accordingly, any exercise of this right, where an employer relies on consent as its lawful basis, may leave the employer exposed; the employer will need to stop processing the employee's personal data as soon as is reasonably practicable.
To echo the commissioner's position, the recommendation for employers relying on consent is to consider the availability of an alternative lawful ground, for example:
When thinking about alternative lawful grounds, the commissioner has stipulated that employers should avoid using consent as the lawful basis and have another backup ground in case consent is withdrawn. This approach carries the risk of providing employees with unclear information and may complicate the exercise of their data subject rights.
One of the main changes introduced by the Data Protection Law is the enhancement of data subject rights with reference to their personal data by:
There are a number of data subject rights that employers must understand.
Right to access personal data
The right to access personal data, also known as a subject access request (SAR), gives employees a right to receive, within one month and without charge, a copy of their personal data held by their employer.
The concept of 'personal data' is defined widely under statute and providing an employee with a copy of all of their personal data can be an onerous task for employers. Therefore, when responding to an SAR, employers should:
Withdraw consent to the processing of personal data
Employees have the absolute right to withdraw, at any time, consent given to the processing of their personal data (discussed above in detail).
Erasure of personal data
Where, for example, an employer cannot show that the personal data is no longer necessary for its original purpose, the employee has the right to have their personal data erased. This right is also known as the 'right to be forgotten'.
Employers should consider this data subject right to erasure, alongside their retention obligations under the DIFC Employment Law.
Objection to processing of personal data
Unless an employer can show that it has a compelling legitimate ground that overrides the interests of the employee, the employee may object to the processing of certain of their personal data.
Non-discrimination for exercising data subject rights
Employers should ensure that they do not discriminate against an employee for exercising one of their other data subject rights under the Data Protection Law. This data subject right is different to the rights under the DIFC Employment Law, which permit an employee to claim discrimination based on a protected characteristic. This is a new provision introduced by the Data Protection Law that could have far-reaching implications for employment relationships.
If, in response to an employee exercising one of their data subject rights, an employer must stop processing employee personal data, this could threaten the continuance of the employment relationship. However, and in light of the risk of a fine of up to $100,000 for any contravention of a data subject's rights, employers must carefully manage employee personal data rights against their business demands.
The approaching compliance deadline date of 1 October 2020 should spur employers that have yet to review employee policies, contracts and data processing to urgently do so and put a plan in place to make any necessary changes. There are additional issues which employers should be thinking about, including the new and updated definitions in the Data Protection Law. For example, consideration should be given to when an employer may be acting in the capacity of a controller, processor or joint controller in relation to employee personal data, as well as the updated meaning of 'special categories of personal data' to include communal origin, political affiliation and criminal recorded information.
Employers must also be clear as to who is classified as an 'employee' for the purposes of the Data Protection Law. Where businesses engage contractors or consultants, it is likely that different lawful grounds will need to be identified for the processing of non-employee personal data and special category personal data.
In addition to the risk of fines and other regulatory penalties, compliance with the Data Protection Law will be vital to:
For further information on this topic please contact Luke Tapp, Marie Chowdhry or Ruth Stephen at Pinsent Masons by telephone (+971 4 373 9700) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Pinsent Masons website can be accessed at www.pinsentmasons.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.