Skip survey header

DP Assessment Tool – Data Export and Sharing

Articles 26 and 27 of DP Law 2020 address Data Export. This means any sharing of DIFC-related / collected Personal Data that is sent to another entity (Controller or Processor) outside of the DIFC.  The laws defines these entities as 1) Third Countries or 2) International Organisations. For the purposes of this tool, the reference Third Country will refer to both. 

Special Note about Privacy Shield:  Please note that the Court of Justice of the European Union (the Court) recently clarified in the “Schrems II” decision that enhanced due diligence should be done on the data protection regime of the destination country or organisation prior to making the restricted transfer when using the standard contractual data protection clauses. Finally, in the same decision, the Court invalidated a transfer mechanism called Privacy Shield . 

As DIFC has not permitted this transfer option previously, hopefully the impact on DIFC entities will be low. However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers to the United States, please consider reviewing any transfers made by your entity outside of the DIFC to affiliates in the EU to ensure they are compliant with Article 27 of the DIFC DP Law 2020. For further assistance, please review the Commissioner’s comprehensive Guidance on DP Law 2020 as well as specific Data Export and Sharing Guidance. Please note that all such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office.
1. Are you Processing Personal Data that will be transferred (including sharing, ending up in, storing, or sending,) to a Third Country, i.e., a destination anywhere outside the DIFC jurisdiction?
Does the Third Country jurisdiction provide for an adequate level of protection for the Personal Data by way of an applicable data protection law, including any onward transfers from the Third Country to another Third Country?  In other words, if the Personal Data comes to rest for Processing in a Third Country with adequate data protection laws, controls and policies in place, then it is being transferred in accordance with Article 26(1).
Are you Processing Personal Data that will be transferred (including sharing, ending up in, storing, or sending,) in accordance with Article 27(1)(a to c) of DP Law 2020?

Article 27. Transfers out of the DIFC in the absence of an adequate level of protection
(1) A transfer or a set of transfers of Personal Data to a Third Country or an International Organisation may take place on condition that:
(a) the Controller or Processor in question has provided appropriate safeguards (as described in Article 27(2)), and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available;
(b) one of the specific derogations in Article 27(3) applies; or
(c) the limited circumstances in Article 27(4) apply.