DFSA | THE INDEPENDENT REGULATOR OF FINANCIAL SERVICES

DATA PROTECTION

Last updated on 30 September 2020

A - ABOUT THIS POLICY
 

Purpose and scope
  1. The purpose of this policy is to provide information about:
    1. the Personal Data that the Dubai Financial Services Authority (the "DFSA", "We" or "Us") collects;
    2. how we process that Personal Data, including how we use and disclose it; and
    3. your rights as an individual in respect of Personal Data we hold about you.
  2. The Dubai International Financial Centre ("DIFC") Data Protection Law, DIFC Law No. 5 of 2020 (the "DP Law"), and the DIFC Data Protection Regulations (together, the "DP Law & Regulations"), came into force on 1 July 2020 and regulate the use of Personal Data, including Special Categories of Personal Data, in the DIFC. 
  3. "Personal Data" is defined in the DP Law as any information referring to an identified or identifiable natural, living person.
  4. "Special Categories of Personal Data" are defined in the DP Law as Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.
  5. The DP Law & Regulations regulate how data controllers may collect, use, store and disclose Personal Data, and also give individuals certain rights in respect of Personal Data held about them. This policy sets out how the DFSA complies with its obligations under the DP Law & Regulations, and how individuals may exercise their rights under that legislation, including the right to access Personal Data held about them.
  6. The DP Law & Regulations are located on the Dubai International Financial Centre’s website at: www.difc.ae. The DIFC Data Protection Commissioner (the "Commissioner") is the person responsible for the administration and enforcement of the DP Law & Regulations; and the Commissioner’s contact details are located on that website.

Confidentiality
  1. Personal Data held by the DFSA will often be confidential information that the DFSA has received in the course of carrying out its functions and activities as the regulator of financial services in the DIFC. Further information on how the DFSA protects, uses and discloses such confidential information can be located in Chapter 8 of the DFSA’s Regulatory Policy and Process Sourcebook ("RPP"), available here:  Link RPP.

Outline of this policy
  1. "Section A" is a brief outline of this policy, including its purpose and scope.
  2. "Section B" sets out our Personal Data collection and processing practices, and contact details for our Data Protection Officer.
  3. "Section C" sets out your rights as a data subject, including how to contact us to exercise your rights or make a complaint about how we process your Personal Data. This section also explains certain circumstances where you may not be able to exercise your rights.
  4. "Secion D" sets out further information about our Personal Data processing activities when carrying out our regulatory powers and functions, such as:
    1. supervision
    2. enforcement;
    3. consultation;
    4. market oversight;
    5. communicating news and events;
    6. handling complaints about us; and
    7. collection and disclosure of information at the request of official agencies or authorities.

B – OUR PERSONAL DATA COLLECTION AND PROCESSING PRACTICES
 

Lawful basis for data collection and processing
  1. We collect Personal Data only where it is relevant to and necessary for specified, explicit and legitimate purposes determined at the time of its collection. 
  2. Generally, we process Personal Data on one or more of the following grounds set out in Article 10 of the DP Law:
    1. for the exercise of the DFSA’s functions and powers conferred on it by or under: (i) the Regulatory Law 2004, Markets Law 2012, Law Regulating Islamic Financial Business 2004, Trust Law  2005, Collective Investment Law 2010, Investment Trust Law 2006 or, UAE Federal legislation vesting functions and powers in the DFSA; or (ii) any other law made by the Ruler of the Emirate of Dubai (Article 10(1)(e)(ii) of the DP Law);
    2. for the performance of a task carried out by the DFSA in the interests of the DIFC (Article 10(1)(e)(i) of the DP Law);
    3. for the performance of a contract to which an individual is a party or to take steps at the request of an individual before entering into such contract (Article 10(1)(b) of the DP Law); 
    4. where processing is necessary for the DFSA to comply with particular laws it is subject to (Article 10(1)(c) of the DP Law); and
    5. in certain circumstances, we may rely upon the consent of an individual given for specific purposes in accordance with the DP Law (Article 10(1)(a) of the DP Law).
  3. Details of the main legislation administered by the DFSA can be found here: DFSA laws & rules.
  4. If we collect Personal Data in the course of exercising one of our powers or functions (for example, receiving a report of suspected misconduct or when conducting an investigation) and that Personal Data is relevant to exercising one of our other powers or functions (for example, determining an application for authorisation), we will, in general, use that Personal Data for that other purpose.
  5. We do not usually explicitly ask for any Special Categories of Personal Data from individuals, except in the following circumstances:
    1. in relation to matters concerning the integrity of individuals as provided for under DFSA administered laws and the DFSA Rules; and
    2. hiring employees and engaging with our employees.
  6. The DP Law identifies certain Personal Data processing which leads to a high risk to the rights and freedoms of individuals by virtue of the nature, scope, context and purposes of the processing of their Personal Data, and imposes specific requirements concerning such activities. The DFSA does not undertake any of the high risk processing activities as described in the DP Law.
  7. We do not engage in automated decision-making when processing Personal Data.
  8. We do not collect, use or process Personal Data for direct marketing purposes.

How we collect Personal Data
  1. We collect Personal Data from individuals or their authorised representatives. There are a number of ways in which we collect this data, including through:
    1. email and telephone contact with us;
    2. web-based conference or video calls with us;
    3. onsite visits or other meetings that take place with us in person;
    4. applications, surveys, online forms and systems available on our website;
    5. our e-Portal and Electronic Prudential Reporting System; 
    6. correspondence and other documents (hand delivered or sent to us by post or courier);
    7. engagement with governments, regulators, official bodies, authorities and organisations;
    8. DFSA outreach and information sessions;
    9. DFSA reception sign-in;
    10. DFSA security cameras; 
    11. DFSA guest Wi-Fi; and
    12. DFSA subscriptions (for example, alerts, media releases, consultation papers, discussion papers, DFSA publications, changes in legal framework, dear SEO letters and human resources systems and updates).
  2. If you contact us, we will keep at least an electronic or digital record of the correspondence, including Personal Data shared at that time. 
  3. In some circumstances we may collect Personal Data about individuals from third parties in the course of:
    1. preparing or receiving reports of suspected misconduct or other complaints;
    2. carrying out our supervisory oversight or investigative functions and activities;
    3. carrying out our authorisation, registration and other statutory functions;
    4. receiving information from or co-operating with other governmental, regulatory or law enforcement agencies or public bodies;
    5. receiving other documents (such as tender documents that contain Personal Data); and
    6. recruiting our employees and contractors or service providers.
  4. Collecting Personal Data from third parties: Where we collect your Personal Data from third parties, we do so on the legal bases set out in paragraphs 12 and 13 of this policy. Examples of the categories of Personal Data we may receive from third parties and the purposes for which we process that Persona Data are available here: Personal Data Sources & Purposes

Our Public Register
  1. We are required by law to publish and maintain a register of all persons that are or were authorised by, or registered with, the DFSA. We are also required to publish and maintain a register of persons whose authorisation has been suspended or withdrawn and individuals who have been restricted from performing functions in connection with the carrying on of financial services in or from the DIFC. 
  2. We are legally obliged to make a reasonably current version of the above information publicly available. You may access this information via our Public Register, available here: DFSA Public Register.
  3. Our Public Register contains Personal Data about individuals who are or were authorised by or registered with the DFSA such as their name, their DFSA reference number, the functions they are, or were, authorised or registered to perform and the firm(s) for which they have performed those functions and day-to-day operations.

Sharing Personal Data with third parties
  1. We may disclose your Personal Data to our third party service providers, agents, subcontractors and other organisations for the purposes of providing services to us or directly to you on our behalf. These third parties may include cloud service providers; hosting, email and content providers; and lawyers and other service providers who we engage to assist us with our functions.   
  2. When we use third party service providers, we only disclose to them those aspects of Personal Data that are necessary for them to provide their service and we have contracts in place that require them to keep your Personal Data confidential and secure, only use it for the stated purpose and subject to compliance with applicable laws. The obligations of confidentiality set out in Article 38 of the Regulatory Law 2004 also apply to such persons who come into possession of any confidential information.
  3. Given our role as:
    1. the financial services regulator in the DIFC; and
    2. the body responsible for supervising and enforcing anti-money laundering and counter-terrorist financing requirements applicable to Relevant Persons in the DIFC (See Part 4, Chapter 2 of the Regulatory Law 2004, the AML Rulebook and relevant UAE Federal legislation relating to anti-money laundering, counter-terrorist financing and sanctions compliance),

where necessary, we share Personal Data with other regulators, official bodies and authorities and law enforcement agencies both inside and outside the DIFC and the UAE. We may also share Personal Data with the parties involved in investigations (such as firms, individuals and their legal advisers) or in the context of court or tribunal proceedings. In some circumstances, where appropriate, we choose to share this information. In other circumstances, we are obliged for legal reasons to share this information.

  1. In the majority of cases, the laws administered by the DFSA and our policies allow us to share this information without the consent of the individual to whom the Personal Data relates. Where we are required to obtain such consent, we ensure that we obtain adequate consent from the relevant individual in accordance with the DP Law. In other cases, we may be compelled to disclose Personal Data due to a mandatory legal obligation or by order of a court or other adjudicatory body or tribunal of competent jurisdiction.
  2. We may also disclose your Personal Data to the public where it is necessary to do so in the exercise of our regulatory powers or functions. That may include circumstances:
    1. where we are required to make that information available in a public register (as described above);
    2. where we consider it necessary or appropriate to publish information in order to protect investors or potential investors or the public; 
    3. in the context of publishing information and statements relating to decisions of the DFSA, the Financial Markets Tribunal or a court;
    4. in the context of publishing information and statements relating to DFSA sanctions; or
    5. otherwise for the performance of tasks carried out by the DFSA in the interests of the DIFC.

Data access, rectification and erasure
  1. You are responsible for the accuracy, completeness, correctness and relevance of Personal Data you provide to us. 
  2. The DP Law allows you to seek access to the Personal Data we hold about you, and, in certain circumstances, to seek to rectify inaccurate or incomplete data, or, to require the erasure of your Personal Data.
  3. Unless certain conditions or exemptions apply, and we will inform when they do, we will respond to your request to access, rectify or erase your Personal Data within one month of receiving your request provided we have received sufficient evidence from you that reasonably establishes your identity as the individual making the request. 
  4. Please keep in mind that:
    1. if your request is complex or you make numerous requests, we may need to increase the period for complying with your request;
    2. in certain circumstances, it may not be feasible for us to rectify or erase Personal Data for technical reasons; and
    3. we may refuse to comply with a request we consider manifestly unfounded or excessive,
      in which event (as applicable), we will respond in accordance with the DP Law and notify you of our reasons.
  5. Otherwise, we may be entitled to refuse your request to access, rectify or erase your Personal Data in circumstances where we have relied upon the general exemption set out in the DP Law. For further information, please refer to Section C - Rights of Data Subjects.

Storage and security of Personal Data
  1. We store Personal Data in electronic, digital and paper format.
  2. We take all reasonable steps to secure the Personal Data we hold against unauthorised access, use, modification or disclosure, accidental loss and against other inappropriate alteration or misuse. These steps include:
    1. controlled, secure and restricted access to DFSA physical premises and IT systems;
    2. implementing technical and operational measures to secure Personal Data;
    3. establishing and implementing policies for securing Personal Data;
    4. applying password protection, data authentication, encryption and access privileges to our IT systems;
    5. implementing specific IT software and systems to detect and protect against viruses or other harmful programs or computer code;
    6. securing paper format information in locked cabinets;
    7. limiting employee access to Personal Data to the extent that it is necessary to carry out their responsibilities; 
    8. conducting integrity checks on employees;
    9. including confidentiality and data protection obligations in our contracts with contractors, services providers, consultants, experts, agents and employees; 
    10. implementing measures for the proper and secure disposal of Personal Data; and
    11. imposing clear desk and clear screen procedures.
  3. When your Personal Data is no longer required, it will be securely and permanently deleted, anonymised, pseudonymised, securely encrypted or otherwise put beyond further use in accordance with our data retention policy, unless it is needed to establish or defend legal claims or we are required by law to retain it. 

Notification of Personal Data breaches
  1. If a Personal Data breach occurs and the Personal Data we hold about you is subject to unauthorised access, loss, use or destruction, we will respond in accordance with the DP Law.
  2. We will notify you of any Personal Data breach in respect of your Personal Data which is likely to result in a high risk to your security or rights as soon as is practicable in the circumstances, or, where there is an immediate risk of damage to you, promptly. Where a direct communication to you will involve disproportionate effort, we may instead inform you via a public communication or other similar measures that are equally effective. 

Media and publications
  1. Where our website or publications include photographs of identifiable individuals, we ensure that we obtain an express and specific permission from those individuals. 
  2. If our website features any film taken in a public place, we ensure that the footage only captures individuals in the background and that they are not identifiable. For all other forms of video recording, we obtain express and specific permission from everyone who appears in our films, which includes individuals participating in conferences and webinars.

Use of our website, cookies, subscriptions and the DFSA app
  1. When someone visits our website we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behavior patterns for statistical purposes. This information is processed in a way that does not identify any individual.
  2. We use functional cookies exclusively for remembering a user’s preferred language setting when visiting our website. We do not use cookies to identify or build a profile of any individual.
  3. When you subscribe for updates to our website by providing your email address and subscription preferences, you consent to us processing that information in order to provide you with the updates you have requested. You can unsubscribe or modify your subscription for updates to our website here: Subscribe to Updates. 
  4. The DFSA also has a mobile application ("DFSA App"). The DFSA App does not collect any Personal Data or location data of users, and the DFSA cannot view who has downloaded the DFSA App.

Employees, contractors and service providers
  1. We collect and process Personal Data, including Special Categories of Personal Data, for the purposes of assessing an individual’s suitability for employment at the DFSA, and engaging, managing and supporting our employees.
  2. We will also collect and process Personal Data when engaging contractors, service providers, consultants and experts. This will be limited to the specific purposes for engaging such persons, including to undertake appropriate due diligence before any appointment, for administration purposes and during the course of the performance of the specific contract.
  3. There may also be circumstances where we collect and process Personal Data concerning employees, contractors and service providers to obtain security clearances, manage conflicts of interest or conduct enquiries and investigations into suspected misconduct by such persons. 

Inward and outward payments 
  1. All payments made to the DFSA are via inward remittances made directly to our bank account. We do not receive any Personal Data in respect of those remittances except in very limited circumstances in relation to the processing of payments made specifically by individuals or the payment of a financial penalty imposed by the DFSA. The personal data we process is only for this limited purpose.
  2. Where we make outgoing payments, we will collect Personal Data such as an email address, name and contact details as is necessary in order for us to make the relevant payment. The Personal Data we collect is only for this limited purpose. 

Our Data Protection Officer
  1. As a DIFC Body, we are required to appoint a Data Protection Officer who monitors our compliance with the DP Law & Regulations and our internal policies relating to Personal Data, advises us on our annual data assessment and other data protection obligations, and acts as our contact point for the Commissioner.
  2. If you have any questions or requests, please email our Data Protection Officer at [email protected] or by writing to:

    DFSA Data Protection Officer
    Dubai Financial Services Authority
    Level 13, West Wing
    The Gate, DIFC
    PO Box 75850
    Dubai, UAE

Changes to this policy
  1. We review this policy regularly and may update it from time to time without prior notice. The most recent version of this policy is available on our website (www.dfsa.ae) and the date of the ‘last update’ is stated at the top of the first page. 

C – RIGHTS OF DATA SUBJECTS


Your rights
  1. Under the DP Law, you have rights as an individual, which you can exercise in respect of the Personal Data we hold about you. For example, you can exercise the following rights:
    1. The right to be provided with specified information about the processing of your Personal Data ('The Right to be Informed').
    2. The right to access your Personal Data and certain supplementary information ('The Right of Access').
    3. The right to have your Personal Data rectified, if it is inaccurate or incomplete ('The Right of Recification').
    4. The right to have, in certain circumstances, your Personal Data deleted or removed ('The Right of Erasure').
    5. The right, in certain circumstances, to restrict the processing of your Personal Data ('The Right to Restrict Processing').
    6. The right, in certain circumstances, to move Personal Data you have provided to the DFSA to another organisation ('The Right of Data Portability').
    7. The right, in certain circumstances, to object to the processing of your Personal Data and, potentially, require the DFSA to stop processing that data ('The Right to Object').
    8. In the event processing of your Personal Data is based on your consent, the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal ('The Right to Withdraw Consent').

How to exercise your rights
  1. If you wish to find out what Personal Data, if any, we hold about you, or if you wish to exercise other rights in respect of your Personal Data, you can contact our Data Protection Officer by email [email protected] or at the address mentioned above at paragraph 54.  
  1. To enable us to process your request promptly, we will need you to provide us with certain information about yourself. You may find it helpful to complete our subject access request form located here: Subject Access Request form. 

Circumstances where you may not be able to exercise your rights
  1. In certain circumstances, the DP Law provides an exemption from particular provisions of the law. In particular, the DFSA, as a DIFC Body, is entitled to rely upon an exemption that applies if compliance with a provision of the law is likely to cause material prejudice to the proper exercise of its powers and functions under the laws it administers, which are available here: DFSA laws & rules.
  2. What this means is that, in certain circumstances, we do not have to comply with the usual rights and obligations concerning the rights of data subjects set out in the DP Law. If this is the case and it is appropriate to do so, we will explain what the exemption is, why it applies and what impact it may have on your rights. 
  3. Please keep in mind, there may be circumstances where it is necessary for us to withhold that information from you, for example, where providing it may prejudice an investigation into suspected misconduct being conducted by us, or by another governmental, regulatory or law enforcement agency.  
  4. The circumstances where we may rely upon the exemption are where powers or functions relate to:
    1. protecting the public against financial loss due to dishonesty or malpractice or other seriously improper conduct in the provision of financial services and activities in financial markets;
    2. protecting the public against seriously improper conduct or unfitness or incompetence of, persons concerned in the provision of financial services and activities in financial markets; or
    3. the detection, investigation and prosecution of criminal or unlawful behavior.
  5. We may also be unable to provide certain information to you due to legal professional privilege or, where we are subject to a statutory obligation that requires us to keep the information confidential or, otherwise by order of a court or adjudicatory body or tribunal of competent jurisdiction.
Data rectification and erasure
  1. In certain circumstances, there may be technical reasons why it is not feasible for us to rectify or erase Personal Data when you ask us to do so. For example, it may not be possible to erase data from our information technology systems, or certain records may be incapable of amendment once entered in the system, or it is not possible to remove a single record from our backups, or deleting a backup or manipulating the files therein will create problems for the integrity of our backup system as a whole, or deleting an individual’s data without deleting the whole file or record where the information is contained is not possible.
  2. If for any reason, we are unable to act in response to a request for erasure or rectification, we will provide a written explanation to you and inform you of your rights to complain to the Commissioner and to seek a judicial remedy. Circumstances where we may be unable to rectify or erase Personal Data include:
    1. for technical reasons;
    2. for the establishment, exercise or defence of legal claims;
    3. to comply with applicable laws or legal obligations to which the DFSA is subject;
    4. an official or legal inquiry, investigation or procedure or prosecution;
    5. material prejudice to the exercise of the DFSA’s powers and functions concerning:
      1. the prevention, detection, investigation or prosecution of criminal offences or other unlawful behaviours;
      2. protection of the public from dishonesty or other fraudulent or serious misconduct or incompetence in banking, insurance, investment or other banking and financial activities and services; or
      3. to protect the public against financial loss due to dishonesty, malpractice or other serious misconduct, unfitness or incompetence of persons concerned in banking, insurance, investment or other banking and financial activities and services.
         
Making a complaint
  1. If you believe we have breached the DP Law, you can make a complaint to our Data Protection Officer here [email protected] or make a complaint directly to the Commissioner whose contact details are available at: www.difc.ae.   

D – FURTHER INFORMATION - PERSONAL DATA PROCESSING ACTIVITIES

  1. Please refer to the links below, which provide further information on our Personal Data processing activities in the carrying out of our regulatory powers and functions. In particular:
    1. Supervision: Supervision Data Processing
    2. Enforcement: Enforcement Data Processing
    3. Consultation: Consultation Data Processing
    4. Market oversight: Markets Data Processing
    5. Communicating news and events: Comms Data Processing
    6. Handling complaints about us: Complaints Data Processing
    7. Collecting and disclosing information at the request of other official agencies or authorities: International Data Processing

For better web experience, please use the website in portrait mode