Skip survey header

Individuals' Data Protection Rights Response Assessment

Articles 32 to 40 address Rights of Data Subjects (Part 6 of the DIFC DP Law 2020). Under the DP Law and others like it, individuals (“requestor”, “individual”, or the combinations or plural of these terms) whose Personal Data is collected and processed have fundamental rights to know about  such activities. The DP Law ensures that any individuals have the right to access, rectification, erasure or restricting of the Personal Data that a DIFC registered entity processes about them, if any. Individuals also have the right to object to such processing, or to ask that it be handled manually or given options for portability. They should be told in advance about the Article 40 methods for contacting the organization, and also informed about the right to complain in any response that is provided.  The following information addresses how an individual may exercise these rights and sets out guidance for DIFC registered entities about how to respond in accordance with the DP Law. 

Please note that assessment tool / guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.
1. Did we receive a question from an individual (the “Requestor”) in writing, verbally or by some other format (including text message), asking what sort of personal data we process about him or her? 

A request from an individual must normally be in writing, but there is no specific format required. What is important is for both parties, the requestor and the Controller, to understand the request in order to respond accordingly. Requests may include one or more of the following rights, as set out in Articles 32 to 40 of the DP Law 2020:

(a) to withdraw consent at any time and for any reason (not to be confused with making a request for cessation of processing, under Article 22);
(b) to access Personal Data;
(c) to take action to rectify, restrict, erase or destroy inaccurate data;  [please note special information provision requirements regarding the right to erasure, set out in Article 29(1)(h)(ix)]
(d) to object to the Processing of Personal Data at any time on reasonable grounds relating to the individual’s situation.
(e) to be informed before Personal Data is disclosed for the first time to third parties or used on their behalf or to object to disclosure to third parties or in relation to direct marketing;
(f) for the individual to lodge a claim, make a complaint and request mediation;
(g) for portability of his or her Personal Data between Controllers;
(h) to object to any decision based solely on automated Processing, including Profiling, which produces legal consequences concerning him or other seriously impactful consequences and to require such decision to be reviewed manually;
(i) to non-discrimination where the Data Subject exercises any such rights; and
(j) to have available at least two (2) methods of contact the Controller to exercise such rights.:

Do we know who the Requestor is? 

A responding entity may request additional information to authenticate your identity when required. Authentication is also a valid security safeguard against providing Personal Data to the wrong person, particularly in the context of online services and online identifiers.
Do we understand what the request is (i.e., scope, search criteria, format and delivery requirements)?

Respondents to a data request:
  • Should refine the scope of the Personal Data requested: A responding entity may ask questions to get a better understanding of the universe of data requested and will indicate potential technological or other issues in advance to ensure a response that is reasonably appropriate, useful and informational. Compliance with the SAR is only required once such information is received.
  • Must search for Personal Data requested: A responding entity will use appropriate measures to exhaust its search for the Personal Data that has been requested, but should notify the individual of whether the search will entail disproportionate measures and any next steps to resolve the issue.
  • Determine format and Delivery: The DP Law requires that the response must be made in an intelligible form. A responding entity should agree the format of the response with the individual requestor in advance if possible. Also, before supplying any information in response to a SAR, please check that the individual’s postal or email address or any other contact information to which the data is to be sent is correct.
Do any exemptions, limitations or exclusions apply impacting whether we respond or not?
Please identify any potential limitations or exclusions:

Exclusions – data does not qualify as Personal Data of this individual.
Limitations – recipients of the request may decide not to act. 
Please identify any potential exemptions:

Exemptions – the Body or organization does not have to provide a response:
  • * This question is required.
Can you respond within one month from the date of a valid request? 

In accordance with the DP Law, responses must be provided within one (1) month of the request, subject to any other applicable conditions set out in the relevant provisions of the DP Law 2020. For example, in certain circumstances, it may take a considerable amount of time and / or cost to properly search for the Personal Data requested. In these cases, a responding entity must continue to communicate with the individual requestor about any timing issues and potential resolutions. A further two (2) months to address particularly complex requests may be assessed as necessary by the responding entity, to be determined on a case by case basis and to be communicated to the individual requestor citing reasons for the delay.
Request responses must be provided free of charge, with the exception of those cases resulting in inordinately high administration costs or additional copies are to be provided. Will no fee be required?
Are there any special matters to consider prior to responding?

Special matters include requests from former employees for access to his or her Personal Data, requests that are manifestly unfounded or excessive, or those that are complex or repetitive.  Please see the Commissioner’s guidance for assistance.