DIFC Courts

Section 1 : (Purpose)

The Dubai International Financial Centre Courts (DIFC Courts) is a platform for delivering legal excellence in the Middle East and the gateway to a suite of services available to businesses operating in the DIFC and beyond. In fulfilling its functions, DIFC Courts collects, uses and shares Personal Data which is critical for its operation. DIFC Courts is subject to the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DP Law 2020).

The DIFC Courts is committed to safeguarding the privacy and security of Personal Data that it collects, uses and shares in accordance with DP Law 2020.

This policy explains how DIFC Courts will comply with DP Law 2020 when processing Personal Data

Section 2: (Scope)

This policy covers all Personal Data, in any form, processed by, or on behalf of, DIFC Courts.

This policy applies to:

1. All employees of DIFC Courts, including temporary employees, trainees and those on probation.

2. Those who process Personal Data on behalf of DIFC Courts including suppliers and service providers.

3. All others who receive Personal Data from DIFC Courts.

This policy may be amended at any time, regardless of employees’ contractual terms. Any breach of this policy may result in disciplinary action

Section 3: (Terms & Definitions)

Data is information which is processed i) by means of equipment operating automatically in response to instructions given for that purpose, or ii) on paper or as part of a paper-based filing systems intended for processing electronically.

Data Subjects for the purpose of this policy include all living individuals about whom we hold Personal Data. All Data Subjects have legal rights in relation to their Personal Data.

Controllers are the people who or organisations which determine the purposes for which, and the manner in which, any Personal Data is processed. They are responsible for establishing practices and policies in line with the Applicable Laws. We are the Controller of all Personal Data used for commercial or other notified purposes.

Processors include any person or organisation that is not a Data user that processes Personal Data on our behalf and on our instructions. Employees of Controllers are excluded from this definition but it could include suppliers that handle Personal Data on DIFC Courts behalf.

Personal Data means Data relating to a living individual (e.g. service users, employees and third parties) who can be identified from that Data (or from that Data and other information in our possession). Personal Data can be factual (for example, a name, address or date of birth) or it can be an opinion about that person, their actions and behaviour.

Processing is any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Processing also includes transferring Personal Data to third parties.

Special Categories of Personal Data is information revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life. Special Category Data can only be processed under strict conditions, including a condition requiring the express permission of the person concerned.

Section 4: (References)

This policy has been adopted by the Dubai International Financial Centre Courts.

Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to the following address: dataprotection@difccourts.ae

Section 5: (References)

Related Documents

The following DIFC Courts documents should be read alongside this policy:

  • Information Security Policies
  • Incident Management Procedure
  • Records of Processing Activity (ROPA)
  • Subject Access Request Procedure

Section 6: (Objectives)

The DIFC Courts (collectively referred to as “we” or “us”) is committed to safeguarding the privacy and security of the Personal Data that we collect, use and share in accordance with the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DP Law 2020).

DIFC Courts recognise that the fair and lawful processing of Personal Data will maintain confidence in DIFC Courts and will support successful operations

This policy sets out how DIFC Courts will comply with DP Law 2020.

Section 7: (Policy)

DIFC Courts service users, employees and third parties have rights with regard to the way in which their Personal Data is collected, stored and processed. The DIFC Courts is committed to safeguarding the privacy and security of the Personal Data of service users, employees and third parties, in accordance with DP Law 2020.

The DIFC Courts has taken the following steps to ensure compliance with DP Law 2020:

- ensuring compliance with the DP Law 2020 and with this policy

- ensuring the DP Notification in the DIFC Client Portal is updated on an annual basis

- providing data protection training for employees

- conducting data protection impact assessments and risk analysis on new projects; and

- supporting DIFC Courts in keeping and updating Records of Processing Activities

  • established a compliance program; and
  • appointed a Data Protection Officer, who must act independently, reporting to senior management, and who is responsible for:

Personal Data

DIFC Courts may, in the ordinary course of business, collect and process information about anyone who:

  • is employed by us, including contractors and temporary employees
  • uses our mobile applications, websites, call-centres or other digital interfaces
  • attends our business development, marketing or other DIFC Courts sponsored events
  • contacts us for information about other products and services
  • interacts and communicates with us in a business capacity; and
  • provides or handles our information relating to suppliers and other third parties.

Such information may include, but is not limited to:

  • Name, gender, home address, and telephone number, date of birth, marital status, emergency contacts;
  • Residency and visa status, nationality and passport information;
  • Emirates ID number, banking details;
  • Information required to comply with laws, the requests and directions of law enforcement authorities or court orders (i.e. debt payment information);
  • Information captured on security systems, including CCTV and key card entry systems;
  • Voicemails, emails, correspondence and other work product and communications created, stored and transmitted by an employee using DIFC Courts computer or communications equipment;
  • Employee information, including:
    • Sick pay, pensions, insurance and other benefits information (including the gender, age, nationality and passport information for spouse, minor children or other eligible dependents and beneficiaries);
    • Dates of hire, date(s) of promotion(s), work history, technical skills, educational background, professional certifications and registrations, language capabilities, training courses attended;
    • Records of work absences, vacation entitlement and requests, salary history and expectations, performance appraisals, letters of appreciation and commendation, and disciplinary and grievance procedures (including monitoring compliance with and enforcing DIFC Courts policies);
    • Where permitted by law and proportionate in view of the function to be carried out by an employee or perspective employee, the results of credit and criminal background checks, health certifications;
    • Date of resignation or termination, reason for resignation or termination of employment ((i.e. references).

Principles of Compliance

When processing Personal Data, DIFC Courts will adhere to the following principles of lawfulness, transparency and accountability as set out in DP Law 2020:

  • Personal Data must be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject.
  • Personal Data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.
  • Personal Data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed
  • Personal Data must be accurate and, where necessary, kept up to date.
  • Personal Data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
  • Personal Data must be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Practical Steps

In order to comply with the above principles, DIFC Courts will:

  • Ensure there is always a legal basis for processing Personal Data
  • Ensure Personal Data is processed for specified and lawful purposes
  • Notify those purposes to the Data Subject
  • Ensure Personal Data is accurate and kept up to date
  • Take reasonable steps to destroy or amend inaccurate or out-of-date Personal Data
  • Not keep Personal Data longer than is necessary for the purpose(s) for which they are collected
  • Take all reasonable steps to destroy, or erase from our systems, all Personal Data which is no longer required or which a Data Subject has asked that we destroy or modify.
  • Conduct timely reviews of our processing operations with respect to Personal Data that is collected and stored in our systems.

Data Security

In order to comply with the principle of Personal Data security, DIFC Courts will:

  • Take appropriate security measures against unlawful or unauthorised processing of Personal Data, and against the accidental loss of, or damage to, Personal Data.
  • Put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.
  • Only be transfer Personal Data to a Processor if it agrees to comply with those procedures and policies, or if it puts in place adequate measures itself.
  • Implement, as part of our security policies and processes, a data breach reporting procedure, in order to address Personal Data breaches and how to manage / report them in accordance with Articles 41 (and where required, Article 42) of the DP Law 2020.

All DIFC Courts employees are responsible for ensuring the security of our systems by adhering to this and related policies including the DIFC Courts IT and Security policies, which contain details about appropriate use and security of the devices and systems that are in the DIFC Courts IT environment.

Transferring Personal Data

We may transfer any Personal Data we hold to and from the jurisdiction in which it is collected. In relation to Personal Data that i) we transfer out of the DIFC or ii) specifically to the UK, the EU or a country within the European Economic Area ("EEA"), we may subsequently transfer that Personal Data to another country provided that one of the following conditions applies:

1. One of the appropriate safeguards is in place under Article 27(2) of the DIFC DP Law 2020

2. The country to which the Personal Data are transferred ensures an adequate level of protection for the Data Subjects' rights and freedoms.

3. The Data Subject has given his consent.

4. The transfer is necessary for one of the reasons set out in DP Law 2020, including the performance of a contract between us and the Data Subject, or to protect the vital interests of the Data Subject.

5. The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.

6. The transfer is authorised by the relevant data protection authority where we have adduced adequate safeguards with respect to the protection of the Data Subjects' privacy, their fundamental rights and freedoms, and the exercise of their rights.

Accountability to Data Subjects

Our use or disclosure of Personal Data must be necessary for the purpose(s) or compatible with the purpose(s) for which we collect and keep the data. Except in certain limited circumstances (including where we are required by law) we will only use and disclose the Data in ways consistent with such purpose(s).

We will inform, through publicly available privacy notices (i.e., on our corporate website), Data Subjects who provide us with or inform us about their Personal Data regarding:

1. The purpose or purposes for which we intend to process that Personal Data

2. How we process their Personal Data, including information about third party suppliers who process it on our behalf.

3. The types of third parties, if any, with which we will share or to which we will disclose their Personal Data.

4. The means, if any, with which Data Subjects can limit our use and disclosure of their Personal Data.

5. Any other rights they have with respect to our use of their Personal Data in line with Applicable Laws

6. The methods and mechanisms we have in place to be transparent with and accountable to the Data Subject.

7. The DIFC Courts role as a Controller of their Personal Data and how to contact the Commissioner of Data Protection.

 

Disclosure and Sharing of Personal Data

We may share Personal Data with third parties in limited circumstances:

  • If we are under a duty to disclose or share a Data Subject's Personal Data in order to comply with any legal obligation
  • In order to enforce or apply any contract with the Data Subject or other agreements
  • To protect our rights, property, or safety of our employees, customers, or others.
  • For the purposes of fraud protection and credit risk reduction.
  • To enable us to fulfil employee contract requirements such as payroll and medical insurance;

In all cases we will take appropriate advice including consulting the Data Protection Officer.

Dealing with Data Subjects’ Rights

With some limited exceptions, Data Subjects are entitled to:

  • Request access to any Personal Data that DIFC Courts holds about them (known as a subject access request);
  • Request that we stop processing their Personal Data, including automated processing of Personal Data;
  • Request that we rectify, block or erase any Personal Data we hold about them; or
  • Make a complaint to the Commissioner of Data Protection regarding the processing of their Personal Data.

Questions about this Policy

If you have any questions about this policy, or any concerns or complaints with regard to the administration of this policy, or if you would like to submit a request for access to the Personal Data that we maintain about you, please contact:

Ruksana Ellahi, Legal Counsel & Data Protection Officer
Level 3, Precinct Building 5 (South), The Gate District, Dubai International Financial Centre (DIFC) Dubai, United Arab Emirates
dataprotection@difccourts.ae
Tel: +971 4 427 3333

Should you wish to contact the DIFC Commissioner of Data Protection’s Office:

Dubai International Financial Centre Authority
Level 14, The Gate Building, Dubai International Financial Centre (DIFC)
Dubai, United Arab Emirates
commissioner@dp.difc.ae
+971 4 362 2222