While not identical, many similarities can be found in the data protection laws and regulations of the Dubai International Financial Centre (‘DIFC’), the Abu Dhabi Global Market (‘ADGM’) (each being financial services free zones in the United Arab Emirates) and the Qatar Financial Centre (‘QFC’) (being a financial services licensing authority in Qatar). In this article, we focus on obligations to provide information to data subjects when gathering personal data, and the rights of data subjects to object to the processing of personal data relating to them.
In a data protection context, a ‘data controller’ can broadly be understood as someone (usually a corporate entity) who determines the purposes for which personal data is processed. ‘Personal data’ can generally be understood as data relating to an identifiable natural person, and a ‘data subject’ can be understood as the identifiable natural person to whom such personal data relates. The concept of ‘processing’ is very broad, and can include the collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, combination, erasure or destruction of personal data.
Data controllers need to provide data subjects with certain information to ensure that the processing of such data subjects’ personal data is fair and legitimate. This needs to be considered when preparing or reviewing privacy policies intended to serve as formal notification to data subjects of such personal data processing activities.
Whether or not personal data is collected directly from data subjects, in each of the relevant jurisdictions data subjects must be informed of the identity of the data controller, the purposes of the intended processing of personal data, and any further information necessary to guarantee fair processing in relation to the data subject; having regard to the specific circumstances in which the personal data is collected. The latter may include:
- the recipients or categories of recipients of the personal data;
- the existence of the right of access to and the right to rectify the personal data;
- whether the personal data will be used for direct marketing purposes; and
- whether the transfer of personal data or processing of sensitive personal data is necessary to uphold the legitimate interests of the data controller recognized in the international financial markets.
Where personal data is collected directly from the data subject, information on whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply, should also be communicated to the data subject to ensure fair processing. Where personal data is not collected directly from the data subject, information on the category of personal data concerned should also be communicated to the data subject to ensure fair processing.
The data controller need not provide information that the data controller reasonably expects the data subject already has. Additionally, in the case of personal data not collected directly from the data subject, the provision of the information contemplated above is not required if it proves impossible to do so or would involve a disproportionate effort.
The manner in which such information is communicated to the data subject is not prescribed, although it needs to be consistent with the general obligation to process personal data fairly.
Right to access; right to rectify
In addition to the right to be provided with certain information as outlined above, the data protection laws and regulations in the DIFC, ADGM and QFC also provide data subjects with certain other rights with regard to access to, and rectification, erasure or blocking of, personal data, as well as a right to object to processing.
A data subject has the right to obtain from the data controller upon request, at reasonable intervals and without excessive delay or expense:
- Confirmation in writing as to whether or not personal data relating to the data subject is being processed and, at a minimum, the purpose of processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data will be disclosed;
- Communication to the data subject, in an intelligible form, of the personal data undergoing processing and of any available information as to its source; and
- As appropriate, the rectification, erasure or blocking of personal data, the processing of which does not comply with the provisions of the applicable law or regulations.
A data subject also has the right to object to the processing of personal data at any time on reasonable grounds relating to the data subject’s particular situation; and the right to be informed before personal data is disclosed for the first time to third parties or used for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.
Data subject access rights do not apply to the actions of the various regulators, authorities and companies’ registrars in the relevant jurisdictions if the application of such provisions would be likely to prejudice the proper discharge of the powers and functions of these entities, in so far as those powers and functions are designed to protect members of the public against dishonesty, malpractice or other seriously improper conduct.
Data controllers operating in the DIFC, ADGM and QFC need to be aware of their obligations with regard to properly informing data subjects of personal data processing involving such data subjects’ personal data, and addressing legitimate data subject access requests.