New guidance on the types of data protection clauses expected in data processing agreements and abbreviated standard contractual clauses (SCCs) for use in international personal data transfers have been issued by authorities in the Dubai International Financial Centre (DIFC).
In a briefing note on 14 August, data protection experts Martin Hayward and Alexandra Bertz of international law firm Pinsent Masons said that companies should review their existing agreements to ensure these have clauses that meet the requirements of the clauses set out in the DIFC's newly-issued Article 24 Clauses & DIFC Abbreviated SCCs Guidance (DIFC guidance) (19-page / 613KB PDF).
"Their agreements can be more extensive but should, as a minimum, include the Article 24 clauses," said Hayward.
Where the processing of personal data is carried out by a data processor, on behalf of a controller, or sub-processor on behalf of a processor, articles 24 (1) and (3) of the DIFC Law No. 5/2020 Data Protection Law (DIFC Data Protection Law) require a legally binding written agreement to govern this processing. The data protection clauses issued in the DIFC guidance satisfy these requirements and address the anticipated official standard contractual clauses set out in article 24(8) of the DIFC Data Protection Law.
The DIFC Data Protection Law allows for the transfer of personal data outside the DIFC in certain circumstances. These include, under article 26, where an adequate level of protection for that personal data is ensured. A list of jurisdictions where an adequate level of protection is currently in place is set out in appendix 3 of the DIFC Data Protection Regulations 2020. Transfers of personal data outside the DIFC to jurisdictions not on the appendix 3 list are only permitted where companies implement "appropriate safeguards", such as the DIFC standard contractual clauses under article 27(2)(c) of the DIFC Data Protection Law.
The newly issued abbreviated SCCs assist businesses to put appropriate safeguards in place quickly and easily by providing a reduced and more ‘user friendly', set of standard contractual clauses, linking out to the standard contractual clauses. The DIFC guidance further clarifies when and how these abbreviated SCCs should be used. The abbreviated SCCs are still accompanied by annexes, but these have been reformatted to make them quicker and easier to complete.
Hayward said: "The abbreviated SCCs will help companies making international data transfers, including transfers from the DIFC to onshore UAE, meet their obligations under the DIFC Data Protection Law".
Bertz added: "The DIFC guidance is another important addition to the already extensive set of guidance available for companies implementing the DIFC Data Protection Law".