Skip survey header

DP Assessment Tool – Notification to the DIFC Commissioner of Data Protection (Article 14)

Personal Data (PD) is defined in the DP Law 2020 in Schedule 1, Article 3 as any information referring to an identified or Identifiable Natural Person.  An Identifiable, Natural Person means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity (and "Identified Natural Person" is interpreted accordingly).

In practice, Personal Data can be all sorts of things.  It includes employee files that contain hiring and termination information, health insurance information, or anything else employment related that identifies that person.  It is client data, including information recorded on invoices, from business cards, on reservation apps or books, and so on. It can be supplier data, recorded in or as a result of any contracts for services or goods.  PD is not limited by any other distinctions, such as business or personal, public or private, large amounts or small amounts. If it identifies somebody, then it is PD. 

If your entity stores, transfers, shares it internally, deletes, gives to another entity, or any other operation is performed on PD or using PD, then it is processing PD.

The DP Law 2020, at Article 14(7) and (8), and as specified in the Data Protection Regulations (DP Regulations) at Section 3.1.3, when Controller or Processor is Processing PD, it must notify the DIFC Commissioner of Data Protection using the Client Portal, and relevant details, including the name and location of the Data Protection Officer (if appointed), will be posted on the DIFC Public Register.  
1. Does your entity (Controller or Processor) Process Personal Data?

Controllers or Processors could be ANY entity incorporated in DIFC that either i) alone or jointly with others determines the purposes and means of the Processing of Personal Data (“Controller”) or ii) Processes Personal Data on behalf of a Controller (“Processor”, including Sub-processors).  

Processing means that you collect, store, access, analyse or otherwise use personal data for any reason such as visa processing, employee insurance or payroll, customer databases for marketing or other purposes, etc.

Please review Schedule 1, Article 3 of the DP Law 2020 for further definition details.