Supervision & Enforcement

Supervision

Each year the Commissioner's Office undertakes supervisory actions, including inspections. Now through an automated process via the DIFC Client Portal, the inspection methodology, risk assessment and reporting process reaches at least 100 entities per year.

Inspection statistics will be posted on a regular basis, to help you see what kind of information is required to report but also how to assess the risks regarding any non-compliance issues.

Statistics regarding investigations (on-going and completed) are also important to knowing how complaints intake, mediation, review and determination works, the timelines involved, and what the Commissioner's Office's fact finding process looks like. Please see information about the complaints and mediation process in FAQs and Guidance.

Finally, Presidential Directives are a form of supervision that DIFC Controllers and Processors must take note of. Apart from guidance, Presidential Directives set out specific requirements about regulatory requirements of DIFC laws. Please refer to this section of the Supervision & Enforcement for the latest applicable Directives.

 

-- INSPECTIONS

2024

Thematic Assessments: 310 

Inspections: 331

  

-- INVESTIGATIONS

2024

3 (all pending resolution) 

 

-- DIRECTIVES

Presidential Directives related to Data Protection in 2022: 1

Directive No. 4 of 2022, the Public Authority Personal Data Sharing Directive

The Public Authority Personal Data Sharing Directive, No 4 of 2022, primarily deals with the applicability of the Data Protection Law, DIFC Law No 5 of 2020 (the DP Law 2020), to data sharing protected by safeguards enumerated in Article 28.  Government authorities and law enforcement may request personal data from a DIFC entity, of course. Article 28 imposes safeguards for ensuring that the Requesting Authority, either by written and binding assurances or by the sharing entity's own risk assessment, or both, is processed in accordance with the DP Law 2020. For more information about the applicability and importance of compliance with Article 28, please review the guidance and FAQs available on the Data Export & Sharing page of the DP website.

 

-- Thematic Assessment Reports

Reports Related to Implementation of DIFC DP Law 2020: 1

Data Protection Report No. 1 of 2023 on a Thematic Assessment of Article 28 was prepared to better understand the origination and types of and the reasons for government authority data sharing requests made to DIFC-based entities. It also explores how DIFC-based entities are implementing Article 28, and any recommendations to the Commissioner's Office to further support, supervise and monitor such implementation.

 

Enforcement

Enforcement, including remedial actions, directions, decision notices and fines, are a necessary part of data protection law regulation.

Decision notices are issued by the Commissioner usually when a complaint has been made and investigated, and a conclusion drawn about contravention or no contravention of the DIFC DP Law, in accordance with the Commissioner's powers and functions set out in Part 8 of the DIFC DP Law 2020 and Part 9 addressing Remedies, Liability and Sanctions. Decision notices will be provided below.

 

--DECISION NOTICES - Outcome of Investigations

2022

Investigations resulting in DNs:

2

Decision Notice No. 1 of 2022

Decision Notice No. 2 of 2022

2023

Investigations resulting in DNs:

0

2024

Investigations resulting in DNs:

TBC

 

--ADMINISTRATIVE FINES

Administrative fines are the result of basic contraventions such as non-renewal of notification, failure to complete an Annual Assessment (if a DPO is appointed) or failure to reply to an investigation request, in accordance with the DP Regulations 2020.  

2023 

Administrative Fines: 

  • Preliminary Notices 150 
  • Decision Notices 173

2024

Administrative Fines: 

  • Preliminary Notices 200
  • Decision Notices 64