DIFC Data Protection Law – actions for employers

Out-Law Analysis | 17 Sep 2020 | 1:25 pm | 5 min. read

Employers in the Dubai International Financial Centre (DIFC) should review their privacy policies and employment contracts, determine if they need a new lawful basis for processing employee personal data, and understand and put in place processes to deal with enhanced data subject rights, to ensure compliance with data protection law.

The DIFC Data Protection (DP) Law (DIFC Law No. 5 of 2020) came into force on 1 July this year, with organisations given a short grace period of three months until 1 October 2020 to ensure compliance with the new provisions.

The new DP Law makes significant changes to the DIFC's existing data privacy regime; introducing  changes to the duties and obligations of employers – in their capacities as data 'controllers' – that are owed to their employees when processing their 'personal data'. There are a number of important issues employers should be considering and taking action on now.

Information provision

Where an employer processes personal data, Article 29 of the DP Law lists the information that employers must provide – as a minimum – to their employees. Within this information, the employer must tell its employees of the lawful ground(s) for which it processes their personal data.

In light of the reforms made to the DIFC's data privacy regime, employers should be revisiting their employee privacy polices to ensure compliance with the new DP Law. Where an employer has identified that it can no longer rely on employee 'consent' as its lawful basis for processing personal data, the employee privacy policy will need to be updated, in conjunction with the employment contract.

'Freely' giving and withdrawing consent

As a starting point, employers must process personal data for a legitimate purpose in accordance with Article 9 of the DP Law. 

Additionally, employers need a lawful basis before they may process personal data and special categories of personal data, with the latter term referring to particularly sensitive forms of personal data that additional safeguards apply to.

Tapp Luke

Luke Tapp

Partner

Owing to the imbalance of power between an employer and employee, the DIFC commissioner of data protection has said that it can be hard for an employer to evidence that the employee consented 'freely' to the processing of their personal data

Traditionally, employers have relied on employee 'consent' as the lawful ground for processing their personal data, however employers must now show that consent was "freely given in a clear statement of words".

Owing to the imbalance of power between an employer and employee, the DIFC commissioner of data protection has said that it can be hard for an employer to evidence that the employee consented 'freely' to the processing of their personal data; especially where consent is wrapped up in the terms of the employment contract. This is because employees who have consented to the processing of their personal data must be able to withdraw their consent at any time.

Accordingly, any exercise of this right, where an employer relies on 'consent' as its lawful basis, may leave the employer exposed; the employer will need to stop processing the employee's personal data "as soon as is reasonably practicable".

To echo the commissioner's position, the recommendation for employers relying on consent is to consider the availability of an alternative lawful ground, for example:

  • for personal data, Article 10(b) of the DP Law permits personal data to be processed where it is necessary for the performance of a contract to which the data subject is party.

Potentially reliance may be placed on the employment contract as inferred from the employment relationship.

  • for special categories of personal data, Article 11(b) of the DP Law states that a lawful basis for processing may relate to the performance of an employment contract, which includes, but is not limited to the processing of personal data for visa and work permit purposes and the administration of a pension or employee workplace savings scheme.

When thinking about alternative lawful grounds, the commissioner has stipulated that employers should avoid using 'consent' as the lawful basis, and having another 'back up' ground in case consent is withdrawn. This approach carries the risk of providing employees with unclear information and may complicate the exercise of their data subject rights.

Data subject rights

One of the main changes introduced by the DP Law is the enhancement of data subject rights with reference to their personal data by:

  • clarifying the scope of existing rights; and,
  • granting additional rights.

There are a number of data subject rights that employers need to understand:

The right to access personal data

Also known as a subject access request (SAR), this right gives employees a right to receive, within one month and without charge, a copy of their personal data held by the employer. 

The concept of 'personal data' is defined widely under statute, and providing an employee with a copy of all of their personal data can be an onerous task for the employer. Therefore, initial steps employers should take when responding to a SAR include:

  • authenticate the employee's identity: this is particularly relevant in the context of a virtual request, in order to mitigate the risk of a data breach. This will be an important first step for the employer;
  • clarify and refine the scope of the request: ask the employee the type(s) of personal data applicable; relevant dates; the subject matter/topic;
  • agree the format and delivery of the personal data: this will help ensure that the personal data is delivered in an 'intelligible format', as the DP Law requires.
Withdraw consent to the processing of personal data

Employees have the absolute right to withdraw, at any time, consent given to the processing of their personal data, discussed above in detail.

Erasure of personal data

Where, for example, the employer is unable to show that the personal data is no longer necessary for its original purpose, the employee will have the right to have their personal data erased. This right is also known as the 'right to be forgotten'.

Employers should consider this data subject right to erasure, alongside the employers' retention obligations under the DIFC Employment Law. 

Object to the processing of personal data

Unless the employer can show that it has a compelling legitimate ground that overrides the interests of the employee, the employee may object to the processing of certain of their personal data.

Non-discrimination for exercising data subject rights

Employers should ensure that they do not discriminate against an employee for exercising one of their other data subject rights under the DP Law. This data subject right is different to the rights under the DIFC Employment Law, which permit an employee to claim discrimination based on a 'protected characteristic'. This is a new provision introduced by the DP Law that could have far-reaching implications for the employment relationship.

If, in response to an employee exercising one of their data subject rights, the employer has to stop processing employee personal data, this could threaten the continuance of the employment relationship. However, and in light of the risk of a fine of up to $100,000 for any contravention of a data subject's rights, employers will need to carefully manage employee personal data rights against its business demands.

Next steps

The approaching compliance deadline date of 1 October 2020 should spur employers that have yet to review employee policies, contracts and data processing to urgently do so and put a plan in place to make any necessary changes. There are additional issues employers should be thinking about too:

The new and updated definitions in the DP Law. For example, consideration should be given to when the employer may be acting in the capacity of a 'controller', 'processor' and/or 'joint controller' in relation to employee personal data; as well as the updated meaning of 'special categories of personal data' to include communal origin, political affiliation and criminal record information;

Employers need to be clear who are classified as 'employees' for the purposes of the DP Law. Where businesses engage contractors or consultants, it is likely that different lawful grounds will need to be identified for the processing of 'non- employee' personal data and special category personal data.

In addition to the risk of fines and other regulatory sanctions, compliance with the DP Law will be vital to upholding employee relations, maintaining client and stakeholder confidence and supporting business continuity and growth. 

Co-written by employment law expert Ruth Stephen of Pinsent Masons - [email protected]