Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.Find out more
We are excited to share the latest edition of the Law Update, beautifully and appropriately titled “Sustainable Horizons: The Saudi Arabian Vision.” Giving special honor to the Kingdom’s 2030 vision, this update focuses on a collection of both informative and inspiring articles.
For those in construction, you can learn about how the tendering environment impacts risk-pricing for contractors, the updates on the legal framework of the construction industry and how contractors can protect themselves against financial difficulties.
There is good news too from the kingdom’s banking sector, from which the practice of “Open Banking” is being pushed for! But what is open banking? We’re answering that too.
Also . . . Are there any women trail blazers in Saudi Arabia you can name? We’ll help you with that. We cover how the Middle East has been making strides in empowering women in the entrepreneurial space,most notably in STEM fields.Read the full edition
Nick O’Connell - Partner, Head of Digital & Data - Saudi Arabia - Digital & Data / Intellectual Property
In this article we consider the obligations on data controllers, under the DIFC Data Protection Law, to make formal notification in the event of a breach of personal data.
The Dubai International Financial Centre is a financial services free zone with a European-style data protection regime.
The DIFC Data Protection Law (DIFC Law No. 1 of 2007, as amended) requires data controllers to implement appropriate technical and organizational measures to protect against accidental, negligent or unlawful loss, disclosure or access to personal data, particularly in the context of the processing of sensitive personal data or the transfer of personal data to recipients outside the jurisdiction of the DIFC. Such measures are required to ensure a level of security appropriate to the risks presented by the manner of processing and the nature of the personal data in question. When engaging a data processor to process personal data on its behalf, a data controller is required to select a data processor able to provide sufficient guarantees in respect of the technical and organizational security measures it will apply to such processing.
Significantly, Article 16(4) of the DIFC Data Protection Law states:
In the event of an unauthorised intrusion, either physical, electronic or otherwise, to any personal data database, the data controller or the data processor carrying out the data controller’s function at the time of the intrusion, shall inform the commissioner of data protection of the incident as soon as reasonably practicable.
The DIFC Commissioner of Data Protection’s expectation regarding the timeframe for reporting a breach is ‘as soon as reasonably practicable’. The Commissioner is open to receiving an initial notification giving high-level details of the breach, with a more detailed report and set of remedial actions delivered as swiftly as possible without unjustifiable delays. Based on other timeframes referred to in the DIFC Data Protection Law (albeit in other contexts) there is some likelihood that a period longer than 14 days from the event giving rise to the notification would be considered ‘too long’, particularly where there was no obvious justification. Acting swiftly is likely to be seen favourable when the Commissioner is considering if any disciplinary action is appropriate.
There is no explicit obligation in the DIFC Data Protection Law with regard to notifying affected data subjects. Despite this, guidance issued by the Commissioner in respect of Article 16(4) indicates that the Commissioner expects that it may be appropriate to notify affected data subjects – and such notification would be taken into account when the Commissioner is assessing the nature of any disciplinary action that it may wish to take in response to the breach.
The Commissioner’s guidance mentions that a breach notification should:
It also states that, at a minimum, the Commissioner would expect the following to be addressed in a report relating to a breach:
The references to giving ‘clear and specific advice on what data subjects can do’, and providing ‘a helpline or webpage where data subjects can find out more’, generally support the view that affected data subjects should be notified of a breach. In contrast, the Commissioner’s guidance also alludes to ‘whether affected individuals […] have been informed’. This could be read as indicating that it is not always essential to notify affected data subjects of a data breach, and that the Commissioner would be open to taking a case-by-case approach when considering whether such notification is appropriate.
The DIFC’s guidance on notifications to the Commissioner in the event of a data breach refers to what the ‘data controller’ should do. Our view is that this should be read as extending to the ‘data processor’ (if it is the data processor that is notifying the Commissioner pursuant to Article 16) – although in practical terms our recommendation would generally be for any breach notification to be communicated to the Commissioner via the DIFC-based data controller.
There are a range of other issues that may also need to be considered by a data controller in the DIFC in the event of a data breach. These include whether or not any related transfers of personal data outside the jurisdiction were compliant with the requirements for processing/transferring as set out in the DIFC Data Protection Law, whether or not the Regulator of financial services firms set up in the DIFC will also need to be notified, and whether the data breach should also be notified to the police.
Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on privacy and data protection matters in the Middle East. For further information, please contact Nick O’Connell – firstname.lastname@example.org
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.