1 / 16

Data Protection in the DIFC Outreach Session Office of Data Protection 4 June 2013

Data Protection. Data Protection in the DIFC Outreach Session Office of Data Protection 4 June 2013. Data Protection. Data Protection. Agenda. 9:00 Welcome note by the Commissioner of Data Protection

lundy
Download Presentation

Data Protection in the DIFC Outreach Session Office of Data Protection 4 June 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Data Protection Data Protection in the DIFCOutreach SessionOffice of Data Protection4 June 2013 Data Protection Data Protection

  2. Agenda 9:00 Welcome note by the Commissioner of Data Protection 9.10 An introduction to Data Protection Law - Camelia Quinnell, Legal Counsel, DIFC Authority 9:30 An overview of the eight data protection principles - Tom Butcher, Counsel and Andrew Kenning, Senior Associate Allen & Overy Q&A session 10:00 Sharing data with regulators - Graham Lovett, Partner, Clifford Chance Q&A session 10:30 Responding to data breaches - Dino Wilkinson, Partner, Norton Rose Q&A session 11:00 A general overview of the data protection in the region (UAE, Qatar, Oman etc.) - Nick O’Connell, Senior Associate, Al Tamimi & Co. Q&A session 11.30 Closing remarks by the Commissioner

  3. Agenda • Data Protection in the DIFC • Role of Data Protection Commissioner • Amendments to the Data Protection Law and Regulations

  4. DIFC Law No. 9 of 2004 Administered by DFSA DIFC Law No.1 of 2007 Administered by DIFCA Data Protection in the DIFC: Evolution & Scope • The Data Protection Law No. 9 of 2004 (“Data Protection Law”) came into force on 16 September 2004 and was later repealed by Data Protection Law No. 1 of 2007. • The Data Protection Law now applies to ALL DIFC registered entities, both regulated and non-regulated, that may process personal data to carry out their business activities, including Authorised Firms, Authorised Market Institutions and Ancillary Service Providers, and all other entities including sole traders, hotels, shops, restaurants etc. and all individuals. • The Data Protection Regulations came into force on 15 February 2007. • The latest amendments to the Data Protection Law and Regulations came into effect in December 2012.

  5. Data Protection in the DIFC • DIFC Data Protection Legislation: • Embodies international best practice standards, and is consistent with the 95/46 EU directive and OECD guidelines on privacy & data protection. • Is designed to balance the legitimate needs of businesses to process personal information while upholding an individual’s right to privacy. • DIFC is the only jurisdiction in the region with an established Data Protection regime compliant with EU standards.

  6. DP legislation in the DIFC: main functions • The Data Protection legislation has 2 main functions: • Confers rights to an individual in relation to how their personal data is processed; and • Places obligations on those who process an individual’s personal information.

  7. Processing of Personal Data in the DIFC • Personal data may only be processed if there is: • written consent of the data subject; • it is necessary for the performance of a contract to which the data subject is party; • it is necessary for compliance with a legal obligation; OR • it is necessary to protect the vital interests of the data subject. • Data Controllers must ensure that Personal Data which they process is: • Processed fairly, lawfully and securely; • Processed for specified, explicit and legitimate purposes ; • Adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further Processed; • Accurate and, where necessary, kept up to date; and • Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data was collected. • Every reasonable step must be taken by data controllers to ensure that inaccurate or incomplete personal data must be erased or rectified.

  8. Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations • Bringing the Data Protection Law in line with international best practices • The definition of “Personal Data” in the Defined Terms of the Law has been amended to include reference to “Data” instead of “information”. • A new definition of “Data” has also been proposed, which includes reference to “Relevant Filing Systems”. • Data that either refers to individuals, or to criteria relating to any individuals, will be captured in such a way that specific information about that individual is readily accessible.

  9. Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations • It is important to note that, if we are able to identify an individual partly on the Data held and partly on other information, the Data held will still be viewed as “Personal Data”. • . • Example: • An organisation holds data about its investors in an electronic format. The electronic database does not make references to names of individuals, it only bears unique reference numbers which can be matched to a card index system to identify the individuals concerned. That information held electronically is Personal Data

  10. Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations • Article 38 General Exemptions • Article 38 is a new Article which empowered the DIFCA Board of Directors to make Regulations exempting Data Controllers from compliance with the Law or any parts of it. Currently, the exempted Data Controllers are the DFSA, DIFCA and the Registrar of Companies. • This exemption is limited to those instances where the exempted Data Controllers are exercising their powers and functions as prescribed in relevant legislation that they administer, including any powers or functions delegated to them. The ability of the DFSA, DIFCA and the Registrar of Companies to effectively perform their supervisory and enforcement powers is regarded as being of critical importance to the reputation of the DIFC as an international financial centre. • This amendment is in line with the data protection regimes adopted in other recognised international financial jurisdictions, where similar public authorities are exempt from certain data protection requirements.

  11. Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations • Ensuring the register is comprehensive and kept up-to-date • Article 21 Duty to notify changes • Article 21 is a new Article which makes the Data Controller responsible for notifying the Commissioner of Data Protection of any changes to its registrable particulars. • It will be an offence for a Data Controller to fail to notify the Commissioner of Data Protection of changes to its register entry. • Regulation 6.4 provides that such notification must be given as soon as possible and in any event within a period of 14 days from the date upon which the entry becomes inaccurate or incomplete as a statement of the Data Controller’s registrable particulars.

  12. Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations • Introduction of a system of fines and fees • Articles 35 (General contravention), 36 (Administrative imposition of fines) and 39 (Fees) • The amendments to implement the framework of contraventions, fines and fees are set out in new Articles 35 (General contravention), 36 (Administrative imposition of fines) and 39 (Fees). • The inclusion of a system of fees payable to the Commissioner of Data Protection, as well as a system of fines for contraventions, form a major part of the amendments to the Data Protection Law and Regulations. • Previously, there were no provisions relating to contraventions and the administrative imposition of fines. Such changes were essential in order for the DIFC Commissioner of Data Protection to properly administer the Law and exercise his powers and functions in an effective manner.

  13. Overview of the amendments to the DIFC Data Protection Law No.1 of 2007 and Regulations • Regulation 7.1 is the key operative provision setting out how the new system of fines will operate. • A table of the fees is set out in Appendix 1 to the Data Protection Regulations • A table of the fines and what triggers the requirement to pay a fine is set out in Schedule 2 to the Data Protection Law.

  14. Data Protection in the DIFC: Fines Table of Fines

  15. Data Protection at the DIFC Thank you

More Related