Skip survey header

DP Assessment Tool – Data Export and Sharing

Articles 26 and 27 of DP Law 2020 address Data Export. This means any sharing of DIFC-related / collected Personal Data that is sent to another entity (Controller or Processor) outside of the DIFC.  The laws defines these entities as 1) Third Countries or 2) International Organisations. For the purposes of this tool, the reference Third Country will refer to both. 

Special Note about Privacy Shield:  Please note that the Court of Justice of the European Union (the Court) recently clarified in the “Schrems II” decision that enhanced due diligence should be done on the data protection regime of the destination country or organisation prior to making the restricted transfer when using the standard contractual data protection clauses. Finally, in the same decision, the Court invalidated a transfer mechanism called Privacy Shield . 

As DIFC has not permitted this transfer option previously, hopefully the impact on DIFC entities will be low. However, if your entity is part of a multi-national or large group business that does use Privacy Shield for certain transfers / onward transfers to the United States, please consider reviewing any transfers made by your entity outside of the DIFC to affiliates in the EU to ensure they are compliant with Article 27 of the DIFC DP Law 2020.

Further, Article 28 addresses sharing personal data in response to government authority information requests. Please review and understand your obligations prior to making any such transfers by answering the questions in this tool.

For further assistance, please review the Commissioner’s comprehensive Guidance on DP Law 2020 as well as specific Data Export and Sharing Guidance. Please note that all such guidance is for informational purposes only and should not be construed as legal advice provided by the Commissioner’s Office. 


 
1. Are you Processing Personal Data that will be transferred (including sharing, ending up in, storing, or sending,) to a Third Country, i.e., a destination anywhere outside the DIFC jurisdiction?
Do some or all of the Third Country jurisdictions provide for an adequate level of protection* for the Personal Data by way of an applicable data protection law, including any onward transfers from the Third Country to another Third Country?  In other words, if the Personal Data comes to rest for Processing in a Third Country with adequate data protection laws, controls and policies in place, then it is being transferred in accordance with Article 26(1).

*list of recognised countries available at hyperlink
 
Are some or all of the Third Country jurisdictions to which the Personal Data will be transferred not currently recognised by the DIFC DP Commissioner as having adequate data protection laws?  Note: If the Third Country or Countries is not listed at the hyperlink above, then it is not recognised. 
Because you have answered that you are sending Personal Data to certain Third Countries that have not yet been recognised as providing an adequate level of protection, are the transfers (including sharing, ending up in, storing, or sending,) of Personal Data to these jurisdictions compliant with Article 27(1)(a to c) of DP Law 2020?

Article 27. Transfers out of the DIFC in the absence of an adequate level of protection
(1) A transfer or a set of transfers of Personal Data to a Third Country or an International Organisation may take place on condition that:
(a) the Controller or Processor in question has provided appropriate safeguards (as described in Article 27(2)), and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available;
(b) one of the specific derogations in Article 27(3) applies; or
(c) the limited circumstances in Article 27(4) apply.

 
2. Are you in any case sharing personal data in response to a government authority's request for information?