Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.
Find out moreWe are excited to share the latest edition of the Law Update, beautifully and appropriately titled “Sustainable Horizons: The Saudi Arabian Vision.” Giving special honor to the Kingdom’s 2030 vision, this update focuses on a collection of both informative and inspiring articles.
For those in construction, you can learn about how the tendering environment impacts risk-pricing for contractors, the updates on the legal framework of the construction industry and how contractors can protect themselves against financial difficulties.
There is good news too from the kingdom’s banking sector, from which the practice of “Open Banking” is being pushed for! But what is open banking? We’re answering that too.
Also . . . Are there any women trail blazers in Saudi Arabia you can name? We’ll help you with that. We cover how the Middle East has been making strides in empowering women in the entrepreneurial space,most notably in STEM fields.
Read the full editionCharlotte Sutcliffe - Associate - Digital & Data
The Dubai International Financial Centre (‘DIFC’) has issued a new DIFC Data Protection Law, DIFC Law No. 5 of 2020 (‘DIFC Data Protection Law’). The DIFC Data Protection Law replaces the previous DIFC data protection law, DIFC Law No. 1 of 2007.
Modelled on Europe’s General Data Protection Regulation (‘GDPR’), the DIFC Data Protection Law provides enhanced standards and controls for the processing and movement of personal data by controllers and processors, and protects the fundamental rights of data subjects. One purpose of the DIFC Data Protection Law is to protect the fundamental rights of data subjects, including how such rights apply to the protection of personal data in emerging technologies.
In this article, we explore the obligations on ‘controllers’ (i.e. entities that control the processing of personal data) and ‘processors’ (i.e. entities that process personal data under the direction of a controller) to notify the DIFC Data Protection Commissioner, and affected data subjects, in the event of personal data breach incidents.
Guidance issued by the Commissioner of Data Protection sets out that controllers and processors should consider the following matters with regards to enhancing information security and protecting against personal data breaches:
Controllers and processors should prepare an incident response plan to ensure the correct procedures are followed to reduce the risk of personal data breaches, and to know what to do if a breach incident occurs. The incident response plan should be aligned to the personal data breach requirements in the DIFC Data Protection Law.
Controllers and processors should ensure they provide specific DIFC Data Protection Law training to personnel, including training focussed on data breach incidents. Such training will assist personnel in recognising data breach incidents, which can take a variety of forms, ranging from inadvertently sending an email to the wrong recipient through to sophisticated hacking events.
The DIFC Data Protection Law sets out that if there is a personal data breach that compromises a data subject’s confidentiality, security or privacy, the controller involved shall, “as soon as practicable” in the circumstances, notify the personal data breach to the DIFC Commissioner of Data Protection. If a processor discovers a personal data breach, the processor is required to notify the relevant controller without undue delay.
The notification to the Commissioner should:
When a personal data breach is likely to result in a high risk to the security or rights of a data subject, the controller shall communicate the personal data breach to an affected data subject as soon as practicable in the circumstances. If there is an immediate risk of damage to the data subject, the controller shall promptly communicate with the affected data subject in clear and plain language containing the following information (at the least):
The Commissioner has the option to communicate the personal data breach to the data subjects where there is a high risk to the security or rights of the data subjects involved, or otherwise direct the controller to make a public communication disclosing that the personal data breach has occurred.
The DIFC position in relation to personal data breach notification obligations is similar to the GDPR approach, but there are some distinct differences:
Controllers and processors subject to the DIFC Data Protection Law must ensure they are across all obligations with respect to data breach notification obligations, including with regard to notifications to the Commissioner of Data Protection and to affected data subjects. Besides the risk of fines and claims for damages, failure to act appropriately in addressing data breach incidents can also result in reputational damage.
For more information, please contact Martin Hayward (m.hayward@tamimi.com) or Charlotte Sutcliffe (c.sutcliffe@tamimi.com).
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.