The Dubai International Financial Center’s Commissioner for Data Protection (“DIFC Data Protection Commissioner“) has recently issued Notices to Produce to a number of entities registered in the DIFC.  We understand the entities under investigation are entities that have registered with the DIFC Data Protection Commissioner as being entities that do not process personal data, but which are entities that may have employees in the DIFC.

The DIFC Data Protection Commissioner is requiring these companies to provide it with information regarding business activities, number of staff employed in the DIFC, and an explanation of why the companies have not registered as processing personal data in the DIFC.

The deadline for responses is 29 February 2016.

There are a number of potential penalties that the DIFC Data Protection Commissioner may issue, including a maximum fine of US$25,000 for failing to register with the Office of the Commissioner.

The DIFC Data Protection Commissioner regularly conducts supervisory visits to entities as part of its on-going supervisory process, however this is the first audit of entities that claim they do not process personal data, and serves to highlight that the DIFC’s Data Protection Laws will be enforced by the DIFC Data Protection Commissioner and should be taken seriously.