Personal Data (PD) is defined in the
DP Law 2020 in Schedule 1, Article 3 as any information referring to an identified or Identifiable Natural Person. An Identifiable, Natural Person means a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity (and "Identified Natural Person" is interpreted accordingly).
In practice, Personal Data can be all sorts of things. It includes employee files that contain hiring and termination information, health insurance information, or anything else employment related that identifies that person. It is client data, including information recorded on invoices, from business cards, on reservation apps or books, and so on. It can be supplier data, recorded in or as a result of any contracts for services or goods. PD is not limited by any other distinctions, such as business or personal, public or private, large amounts or small amounts. If it identifies somebody, then it is PD.
If your entity stores, transfers, shares it internally, deletes, gives to another entity, or any other operation is performed on PD or using PD, then it is processing PD.
The
DP Law 2020, at Article 14(7) and (8), and as specified in the
Data Protection Regulations (DP Regulations) at Section 3.1.3, when Controller or Processor is Processing PD, it must notify the DIFC Commissioner of Data Protection using the Client Portal, and relevant details, including the name and location of the Data Protection Officer (if appointed), will be posted on the DIFC Public Register.
Personal data, if any, that is collected as a result of completing this assessment will be handled in accordance with the
DIFC Online Data Protection Policy.