The final Law Update of 2022 is here, and it’s packed full of articles. The double edition features two focus areas, first is a spotlight on Energy and Resources and second we feature a collection of articles on Transport and Logistics. The developments occurring in these sectors in the MENA region are unprecedented and our lawyers cover vast themes for you.
The Energy and Resources focus features topics such as diversifying energy resources, solar PV, mining in the Middle East, renewable energy and green hydrogen. From a transport perspective, we draw attention to the Bahrain metro project, discuss the challenges and remedies associated with the repossession of an aircraft, and there is advice on what to consider should a party vary the terms of a shipping contract.
This edition navigates you through updates from across jurisdictions such as, Oman, Jordan, Saudi Arabia, Egypt, Iraq, Qatar, and the UAE. Each article is timely and provides insights into legal issues and cases that are affecting these sectors across the region.Read the full edition
Charlotte Sutcliffe - Associate - Digital & Data
The Dubai International Financial Centre (“DIFC”), has issued a new Data Protection Law DIFC Law No. 5 of 2020 (“DIFC DP Law”). This law applies in the jurisdiction of the DIFC only
In this article, we focus on the circumstances under which controllers (i.e. entities that control the processing of personal data) and processors (i.e. entities under the direction of a third party to process personal data) must appoint a Data Protection Officer (DPO).
A DPO is defined under the DIFC DP Law as an officer appointed by a controller, joint controller or processor to independently oversee relevant data protection operations in the manner set out under the DIFC DP Law. In practice, a DPO is an individual appointed by the entity whose job it is to oversee an entity’s compliance with the DIFC DP Law.
It is mandatory for a DPO to be appointed by:
Under Article 16(3), the DIFC Commissioner of Data Protection (“Commissioner”) may also require a controller or processor to designate a DPO.
Otherwise a controller, joint controller or processor may voluntarily designate a DPO under Article 16(1).
A ‘DIFC Body’ includes the Commissioner, DIFCA, DFSA, DIFC Courts, and any other person, body, office, registry or tribunal established under DIFC Laws or established upon approval of the President of the DIFC that is not revoked by the DIFC DP Law or any other DIFC Law.
A ‘High Risk Processing Activity’ is the processing of personal data where one or more of the following applies:
The Commissioner has published policy guidance to assist controllers and processors to determine whether any of their business activities fall within this definition.
A DPO must reside in the UAE unless he or she is an individual employed within the organisation’s group and performs a similar function for the group on an international basis. The role of a DPO may be performed by a member of a controller’s or processor’s staff, an
individual employed within a controller’s or processor’s group in accordance, or by a third party under a service contract. A group may appoint a single DPO provided that he or she is easily accessible from each entity in the group. A DPO may hold other roles or titles within a controller, processor or in a group, and may fulfil additional tasks and duties other than those described in the DIFC DP Law.
A DPO is the data subject’s and the Commissioner’s first point of call about any data protection related issues. It must have knowledge of the DIFC DP Law and its requirements and shall ensure a controller or processor monitors compliance with the DIFC DP Law.
A DPO must:
Where a controller is required (and has not elected) to appoint a DPO, the DPO shall undertake an assessment of the controller’s processing activities, at least once per year, which shall be submitted to the Commissioner, which should include information such as whether it intends to undertake high risk processing activities (such an assessment is referred to as a DPO Controller assessment)
A data protection impact assessment is an assessment of the impact of the proposed processing operations on the protection of personal data, considering the risks to the rights of the data subjects concerned.
A DPO, where appointed, shall be responsible for overseeing data protection impact assessments.
Prior to undertaking High Risk Processing Activities, a data protection impact assessment has to be carried out regarding on the impact of the proposed processing operations on the protection of personal data, considering the risks to the rights of the data subjects concerned.
A controller who has appointed a DPO must provide any data subject from whom it obtains personal data with the contact details of the DPO.
Failing to appoint a DPO where required under the DIFC DP Law could result in a fine of up to US$50,000.
The obligation to appoint a DPO is substantially similar under the EU General Data Protection Regulation (“GDPR”). However, there are a few additional aspects to designating a DPO under the DIFC DP Law, including:
The DIFC DP Law provides for entities processing personal data to appoint a DPO for overseeing that entity’s compliance with the DIFC DP Law. In some circumstances, a DPO is mandatory.
It is an important role which is given to an individual so that an entity is more effectively able to manage its obligations under the DIFC DP Law. Compliance with the DIFC DP Law and continuous monitoring is a key task of the DPO.
A DPO has to have sufficient expertise, independence and resources to effectively perform their statutory duties. The DPO should work with the Commissioner in a transparent and cooperative way.
Even if a controller or processor is not required to appoint a DPO under the DIFC DP Law, it must still clearly allocate responsibility for oversight and compliance with respect to data protection duties and obligations under the DIFC DP Law, or any other applicable data protection law, within its organisation and be able to provide details of the persons with such responsibility to the Commissioner upon request.