Our knowledge, experience, and expertise are now available on the go.
We are proud to announce the launch of My Tamimi App, a convenient new tool for anyone with an interest in the legal sector, from law students to General Counsel.Find out more
Sana Saleem - Associate - Technology, Media & Telecommunications
In a data protection context, a ‘data controller’ can broadly be understood as someone (usually a corporate entity) who determines the purposes for which personal data is processed. ‘Personal data’ can generally be understood as data relating to an identifiable natural person, and a ‘data subject’ can be understood as the identifiable natural person to whom such personal data relates. The concept of ‘processing’ is very broad, and can include the collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, combination, erasure or destruction of personal data.
Data controllers need to provide data subjects with certain information to ensure that the processing of such data subjects’ personal data is fair and legitimate. This needs to be considered when preparing or reviewing privacy policies intended to serve as formal notification to data subjects of such personal data processing activities.
Whether or not personal data is collected directly from data subjects, in each of the relevant jurisdictions data subjects must be informed of the identity of the data controller, the purposes of the intended processing of personal data, and any further information necessary to guarantee fair processing in relation to the data subject; having regard to the specific circumstances in which the personal data is collected. The latter may include:
Where personal data is collected directly from the data subject, information on whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply, should also be communicated to the data subject to ensure fair processing. Where personal data is not collected directly from the data subject, information on the category of personal data concerned should also be communicated to the data subject to ensure fair processing.
The data controller need not provide information that the data controller reasonably expects the data subject already has. Additionally, in the case of personal data not collected directly from the data subject, the provision of the information contemplated above is not required if it proves impossible to do so or would involve a disproportionate effort.
The manner in which such information is communicated to the data subject is not prescribed, although it needs to be consistent with the general obligation to process personal data fairly.
Right to access; right to rectify
In addition to the right to be provided with certain information as outlined above, the data protection laws and regulations in the DIFC, ADGM and QFC also provide data subjects with certain other rights with regard to access to, and rectification, erasure or blocking of, personal data, as well as a right to object to processing.
A data subject has the right to obtain from the data controller upon request, at reasonable intervals and without excessive delay or expense:
A data subject also has the right to object to the processing of personal data at any time on reasonable grounds relating to the data subject’s particular situation; and the right to be informed before personal data is disclosed for the first time to third parties or used for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.
Data subject access rights do not apply to the actions of the various regulators, authorities and companies’ registrars in the relevant jurisdictions if the application of such provisions would be likely to prejudice the proper discharge of the powers and functions of these entities, in so far as those powers and functions are designed to protect members of the public against dishonesty, malpractice or other seriously improper conduct.
Data controllers operating in the DIFC, ADGM and QFC need to be aware of their obligations with regard to properly informing data subjects of personal data processing involving such data subjects’ personal data, and addressing legitimate data subject access requests.
Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on data and data protection issues throughout the Middle East. For further information please contact Nick O’Connell (firstname.lastname@example.org) or Sana Saleem (email@example.com).
Disclaimer: This chat service should not be relied upon as a substitute for professional advice which takes account of your specific circumstances and any changes in the law and practice. No warranty is made as to the accuracy or completeness of the information provided via this service and no liability is accepted by Al Tamimi & Company Limited, its affiliates, partners or employees for any loss arising as a result of reliance upon the information provided.
Kindly accept the disclaimer to proceed to a live chat.
Thank you for your inquiry. We will connect you to one of our agents now.
Thank you for your interest in working with Al Tamimi & Company. Please click here to view our latest job openings.