As a firm we have a strong commitment to our corporate sustainability principles, and this year we joined the United Nations Global Compact, an initiative dedicated to promoting responsible business practices and advancing the United Nations Sustainable Development Goals (SDGs). Our goals include Education, gender equality, climate action, justice for all, and sustainable partnerships. You can learn about our actions plans and targets, here.
In this edition, we feature an entire section dedicated to COP28 where we share insights and intelligence through conversations we have had with leading experts from across the region. This includes articles and podcasts that delve into the most pertinent topics, such as COP28’s call to action for corporates, ESG reporting, and the UAE’s Net Zero vision.
Beyond the focus on Energy and Climate we feature articles covering important updates that look into a variety of areas, such as UAE consumer protection law, an overview of the Federal Civil Family Law for Non-Muslim Foreigners in the UAE, and from Kuwait we discuss the management of companies. As always, in our final section we continue to share with you real life judgements that provide context to the legal landscape in the region.Read the full edition
As of July 2020, the Dubai International Financial Centre, a financial services free zone in the Emirate of Dubai, has a new data protection law, the Data Protection Law 2020 (the ‘DIFC Data Protection Law’). One key topic relevant to data controllers and data processors subject to the DIFC Data Protection Law is the question of whether or not it is compulsory to appoint a Data Protection Officer (‘DPO’). A DPO is someone appointed by a data controller or data processor to independently oversee certain data protection operations. In this article, we consider this point, and provide further information on related issues, including who can fulfil the DPO role, and the obligations incumbent on a DPO.
There is a requirement to appoint a DPO in certain circumstances. Certain DIFC Bodies (such as the DIFC Authority, the Dubai Financial Services Authority, and the DIFC Courts (with a limited exception), are required to appoint a DPO. Data controllers and data processors that are performing certain ‘high risk’ personal data processing activities must also appoint a DPO. There may be circumstances where the Commissioner of Data Protection requires a data controller or data processor, not falling into either of these categories, to appoint a DPO. (If a data controller or data processor is subject to the statutory requirement to appoint a DPO, it must submit an annual assessment of its data processing activities to the Commissioner of Data Protection, in the form prescribed by the Commissioner.)
The type of ‘high risk’ personal data processing activities that trigger the requirement to appoint a DPO include:
Data controllers and data processors subject to the DIFC Data Protection Law should consider whether they fall within any of the types of entities that must, by their nature, appoint DPOs. Otherwise, they should assess their personal data processing activities to determine whether they fall into the ‘high risk’ category that necessitates the appointment of a DPO. Based on guidance issued by the Commissioner of Data Protection, it can be concluded that the threshold for ‘high risk’ personal data processing is not high; there is some likelihood that many data controllers and processors operating in DIFC may need to appoint a DPO.
Even if a statutory requirement to appoint a DPO does not apply, a data controller or data processor subject to the DIFC Data Protection Law still needs to clearly allocate responsibility for data protection compliance within its organisation. It is also permissible for a data controller or data processor to appoint a DPO in circumstances where it is not strictly required to do so.
A DPO could be someone employed within a data controller or data processor, or within the corporate group of the data controller or processor (where the data protection officer role is managed centrally across a corporate group), or a third party service provider.
An individual acting as DPO to a corporate group can be based outside the UAE; otherwise, DPOs need to be resident in the UAE. (To the extent that a DPO could be a corporate third party service provider, it is our understanding that such service provider would need to be an entity licensed to operate in the UAE.)
A DPO needs to be familiar with the requirements of the DIFC Data Protection Law, and ensure that the data controller or data processor complies with such requirements. A DPO needs to be able to act independently and under his or her own authority, and have sufficient resources to discharge the duties of a DPO effectively, objectively and independently. A DPO needs to have timely and unrestricted access to information within the data controller or data processor to perform the duties of the DPO, and to have direct access to senior management. A DPO can perform other roles within a data controller or data processor, and for many organisations it would not be uncommon for the DPO role to be filled by a legal or compliance specialist, or an HR specialist, depending on the size and nature of the organisation.
Importantly, a DPO needs to be able to fulfil a variety of specific tasks set out in the DIFC Data Protection Law. These include:
Data controllers and data processors that are subject to the DIFC Data Protection Law need to determine whether or not they are subject to the statutory requirement to appoint a DPO. If a DPO is required, the DPO needs to have the competencies and status necessary to discharge his or her duties, as contemplated in the DIFC Data Protection Law. One of the first responsibilities of the DPO will be to ensure that the annual assessment is submitted as a matter of priority.