Articles 26 and 27 of DP Law 2020 address Data Export. This means any sharing of DIFC-related / collected Personal Data that is sent to another entity (Controller or Processor) outside of the DIFC. The laws defines these entities as 1) Third Countries or 2) International Organisations. For the purposes of this tool, the reference Third Country will refer to both.
Special Note about Privacy Shield: Please note that the Court of Justice of the European Union (the Court) recently clarified in the “Schrems II” decision that enhanced due diligence should be done on the data protection regime of the destination country or organisation prior to making the restricted transfer when using the standard contractual data protection clauses. Finally, in the same decision, the Court invalidated a transfer mechanism called Privacy Shield .
As DIFC has not permitted this transfer option previously, hopefully the impact on DIFC entities will be low. However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers to the United States, please consider reviewing any transfers made by your entity outside of the DIFC to affiliates in the EU to ensure they are compliant with Article 27 of the DIFC DP Law 2020.
Further,
Article 28 addresses sharing personal data in response to government authority information requests. Please review and understand your obligations prior to making any such transfers by answering the questions in this tool.
For further assistance, please review the Commissioner’s comprehensive
Guidance on DP Law 2020 as well as specific
Data Export and Sharing Handbook. Please note that all such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.