Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.
Find out moreThis special edition of Law Update, marking Al Tamimi & Company’s 35th anniversary, explores the evolving legal landscape of energy and climate law across the region.
As the Middle East prioritises sustainable growth, this edition examines key developments shaping the future of the sector. From the UAE’s Federal Law No. 11 of 2024 to advancements in green hydrogen, solar financing, and carbon capture technology, we spotlight the innovative strides and challenges defining this critical area.
We also go into Saudi Arabia’s initiatives to integrate carbon capture into its industrial expansion and Egypt’s AFRICARBONEX platform, which underscores the region’s commitment to a sustainable and inclusive future.
Join us as we celebrate 35 years of legal excellence and forward-thinking insights, paving the way for a more sustainable tomorrow.
Read NowCharlotte Sutcliffe - Associate - Digital & Data
The Dubai International Financial Centre (‘DIFC’) has issued a new DIFC Data Protection Law, DIFC Law No. 5 of 2020 (‘DIFC Data Protection Law’). The DIFC Data Protection Law replaces the previous DIFC data protection law, DIFC Law No. 1 of 2007.
Modelled on Europe’s General Data Protection Regulation (‘GDPR’), the DIFC Data Protection Law provides enhanced standards and controls for the processing and movement of personal data by controllers and processors, and protects the fundamental rights of data subjects. One purpose of the DIFC Data Protection Law is to protect the fundamental rights of data subjects, including how such rights apply to the protection of personal data in emerging technologies.
In this article, we explore the obligations on ‘controllers’ (i.e. entities that control the processing of personal data) and ‘processors’ (i.e. entities that process personal data under the direction of a controller) to notify the DIFC Data Protection Commissioner, and affected data subjects, in the event of personal data breach incidents.
Guidance issued by the Commissioner of Data Protection sets out that controllers and processors should consider the following matters with regards to enhancing information security and protecting against personal data breaches:
Controllers and processors should prepare an incident response plan to ensure the correct procedures are followed to reduce the risk of personal data breaches, and to know what to do if a breach incident occurs. The incident response plan should be aligned to the personal data breach requirements in the DIFC Data Protection Law.
Controllers and processors should ensure they provide specific DIFC Data Protection Law training to personnel, including training focussed on data breach incidents. Such training will assist personnel in recognising data breach incidents, which can take a variety of forms, ranging from inadvertently sending an email to the wrong recipient through to sophisticated hacking events.
The DIFC Data Protection Law sets out that if there is a personal data breach that compromises a data subject’s confidentiality, security or privacy, the controller involved shall, “as soon as practicable” in the circumstances, notify the personal data breach to the DIFC Commissioner of Data Protection. If a processor discovers a personal data breach, the processor is required to notify the relevant controller without undue delay.
The notification to the Commissioner should:
When a personal data breach is likely to result in a high risk to the security or rights of a data subject, the controller shall communicate the personal data breach to an affected data subject as soon as practicable in the circumstances. If there is an immediate risk of damage to the data subject, the controller shall promptly communicate with the affected data subject in clear and plain language containing the following information (at the least):
The Commissioner has the option to communicate the personal data breach to the data subjects where there is a high risk to the security or rights of the data subjects involved, or otherwise direct the controller to make a public communication disclosing that the personal data breach has occurred.
The DIFC position in relation to personal data breach notification obligations is similar to the GDPR approach, but there are some distinct differences:
Controllers and processors subject to the DIFC Data Protection Law must ensure they are across all obligations with respect to data breach notification obligations, including with regard to notifications to the Commissioner of Data Protection and to affected data subjects. Besides the risk of fines and claims for damages, failure to act appropriately in addressing data breach incidents can also result in reputational damage.
For more information, please contact Martin Hayward (m.hayward@tamimi.com) or Charlotte Sutcliffe (c.sutcliffe@tamimi.com).
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.