You are here

United Arab Emirates

Survey Answer:

In DIFC it is the Commissioner of Data Protection. If the Commissioner of Data Protection is satisfied that a data controller has contravened or is contravening provisions of DIFC Data Protection Law, he may issue a direction requiring him to do either or both of the following:
(a) to do or refrain from doing any act or thing within such time as may specified in the direction; or
(b) to refrain from processing any personal data specified in the direction or to refrain from processing personal data for a purpose or in a manner specified in the direction.
The Commissioner of Data Protection shall carry out, as a minimum, due process by means of undertaking all the reasonable and necessary inspections and investigations to be adequately satisfied to establish the data controller’s breach.
A data controller who fails to comply with a direction of the Commissioner of Data Protection under this part of the Law, contravenes this law and may be subject to fines and liable for payment of compensation.
Commissioner of Data Protection may apply to court to seek any of the following directions:
(a) an order directing the data controller or officer to comply with the direction or any provision of the DIFC Data Protection Law or of any legislation administered by the Commissioner of Data Protection relevant to the issue of the direction; or
(b) an order directing the data controller or officer to pay any costs incurred by the Commissioner of Data Protection or other person relating to the issue of the direction by the Commissioner of Data Protection or the contravention of such Law.
Similarly in the ADGM, it is the Registrar. If the Registrar is satisfied that data controller has breached any provisions of the law, then the Registrar may issue a direction to the data controller requiring him to do either or both of the following:
(a) to do or refrain from doing any act or thing within such time as may be specified in the direction; or
(b) to refrain from processing any personal data specified in the direction or to refrain from processing personal data for a purpose or in a manner specified in the direction.
A data controller, who fails, without a reasonable excuse to comply with any direction issued by the Registrar under this section, shall be liable to a fine of up to USD 15,000.

Provided By:
Andrew Fawcett and Krishna Jhala, Al Tamimi & Company