Skip survey header

DP Assessment Tool – Article 28

Sharing Personal Data at the request of a public authority, aka a Requesting Authority, is the subject matter of Article 28 of the DIFC DP Law 2020.  While all data sharing should be undertaken with due caution and applicable safeguards, sharing with a Requesting Authority is a slightly different situation.  Such sharing requests may be for beneficial purposes, such as process improvement or to support research to enhance our daily lives.  It may also be in response to requests for information about criminal activity or other similar purposes. 

Regardless of the reason, sharing with Requesting Authorities is often for more nuanced reasons than sharing with a business or other organization (Controller or Processor) that in certain cases result in a negative impact on the individual.  Additionally and regardless of the reason, an individual may not be aware of or wish for their data to be shared (at all), but you as the Controller or Processor may not have a choice in the matter when a Requesting Authority is making the request. Regulations or court orders are examples of lawful bases, set out in the DP Law 2020 and in others like it, that to some degree take the decision out of your hands and apart from a suitable privacy notice, will in certain cases not be common knowledge to the data subject.  Even so, Article 28 acts to encourage additional due diligence and safeguards to ensure that even where mandatory, there is at least a basic understanding that any data shared with a Requesting Authority will be processed in a lawful, fair, and ethical way.

Please review the DP Law 2020, the Data Export and Sharing Handbook, and the Commissioner’s Article 28 Guidance for further information, both of which are available here. All guidance is available on the DIFC DP Guidance website The Data Export and Sharing page of the DIFC DP website also contains helpful information about a variety of data sharing topics.

Please note that this assessment tool / guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.

Personal data, if any, that is collected as a result of completing this assessment will be handled in accordance with the DIFC Online Data Protection Policy.
 

1. Have you received a request from a Requesting Authority to share personal data? 

Note: for the purposes of DP Law 2020, a public authority, acting as a Requesting Authority, means any recognised government bodies, authorities, law enforcement agencies or other similar regulatory authority established in a country or jurisdiction, including Third Countries, that administers policies, laws and regulations of the country or jurisdiction.
Is the Requesting Authority a DIFC Body (DFSA, DIFC Courts)?
In accordance with Article 28(1), upon receiving the request, have you engaged with the Requesting Authority (where possible) to:

Note: If you are stuck, please review the Article 28 Guidance issued by the Commissioner of DP for any assistance on how to complete these actions before responding to a data sharing request from a Requesting Authority. 
In accordance with Article 28(2), if required, have you, undertaken reasonable steps, especially where you were unable to achieve any of the actions set out in Q3, to satisfy yourself that:

Note: If you are stuck, please review the Article 28 Guidance issued by the Commissioner of DP for any assistance on how to complete these actions before responding to a data sharing request from a Requesting Authority. 
As you are transferring personal data for this request to a non-DIFC public authority, have you considered Article 26 and Article 27 safeguards? 

Note: For further support, please  run the Data Export and Sharing Assessment tool.  
0%