To ensure compliance with data protection law, employers in the Dubai International Financial Centre (DIFC) should:
- review their privacy policies and employment contracts;
- determine whether they need a new lawful basis for processing employee personal data; and
- understand and put in place processes to deal with enhanced data subject rights.
On 1 July 2020 the DIFC Data Protection Law (DIFC Law 5/2020) came into force, with organisations given a three-month grace period until 1 October 2020 to ensure compliance with the new provisions.
The new Data Protection Law makes significant changes to the DIFC's existing data privacy regime, introducing changes to the duties and obligations of employers – in their capacities as data controllers – to their employees when processing their personal data. There are a number of important issues which employers should consider and take action on now.
Where employers process personal data, Article 29 of the Data Protection Law lists the information that they must provide – as a minimum – to their employees. In this context, employers must tell their employees of the lawful grounds for which they are processing their personal data.
In light of the reforms made to the DIFC's data privacy regime, employers should revisit their employee privacy policies to ensure compliance with the new Data Protection Law. Where an employer has identified that it can no longer rely on employee consent as its lawful basis for processing personal data, the employee privacy policy will need to be updated in conjunction with the employment contract.
'Freely' giving and withdrawing consent
As a starting point, employers must process personal data for a legitimate purpose in accordance with Article 9 of the Data Protection Law.
In addition, employers need a lawful basis before they may process personal data and special categories of personal data, with the latter term referring to particularly sensitive forms of personal data to which additional safeguards apply.
Traditionally, employers have relied on employee consent as the lawful ground for processing their personal data; however, employers must now show that consent was freely given in a clear statement of words.
Owing to the power imbalance between employers and employees, the DIFC commissioner of data protection has stated that it can be hard for an employer to prove that the employee consented 'freely' to the processing of their personal data; especially where consent is wrapped up in the terms of the employment contract. This is because employees who have consented to the processing of their personal data must be able to withdraw their consent at any time.
Accordingly, any exercise of this right, where an employer relies on consent as its lawful basis, may leave the employer exposed; the employer will need to stop processing the employee's personal data as soon as is reasonably practicable.
To echo the commissioner's position, the recommendation for employers relying on consent is to consider the availability of an alternative lawful ground, for example:
- Article 10(b) of the Data Protection Law permits personal data to be processed where it is necessary for the performance of a contract to which the data subject is party. Potentially, reliance may be placed on the employment contract as inferred from the employment relationship; and
- for special categories of personal data, Article 11(b) of the Data Protection Law states that a lawful basis for processing may relate to the performance of the employment contract, which includes, but is not limited to, the processing of personal data for visa and work permit purposes and the administration of a pension or employee workplace savings scheme.
When thinking about alternative lawful grounds, the commissioner has stipulated that employers should avoid using consent as the lawful basis and have another backup ground in case consent is withdrawn. This approach carries the risk of providing employees with unclear information and may complicate the exercise of their data subject rights.
One of the main changes introduced by the Data Protection Law is the enhancement of data subject rights with reference to their personal data by:
- clarifying the scope of existing rights; and,
- granting additional rights.
There are a number of data subject rights that employers must understand.
Right to access personal data
The right to access personal data, also known as a subject access request (SAR), gives employees a right to receive, within one month and without charge, a copy of their personal data held by their employer.
The concept of 'personal data' is defined widely under statute and providing an employee with a copy of all of their personal data can be an onerous task for employers. Therefore, when responding to an SAR, employers should:
- authenticate the employee's identity. This is particularly relevant in the context of a virtual request in order to mitigate the risk of a data breach;
- clarify and refine the scope of the request. Employers should ask the employee the type of personal data applicable, relevant dates and the subject matter or topic; and
- agree the format and delivery of the personal data. This will help to ensure that the personal data is delivered in an intelligible format, as the Data Protection Law requires.
Withdraw consent to the processing of personal data
Employees have the absolute right to withdraw, at any time, consent given to the processing of their personal data (discussed above in detail).
Erasure of personal data
Where, for example, an employer cannot show that the personal data is no longer necessary for its original purpose, the employee has the right to have their personal data erased. This right is also known as the 'right to be forgotten'.
Employers should consider this data subject right to erasure, alongside their retention obligations under the DIFC Employment Law.
Objection to processing of personal data
Unless an employer can show that it has a compelling legitimate ground that overrides the interests of the employee, the employee may object to the processing of certain of their personal data.
Non-discrimination for exercising data subject rights
Employers should ensure that they do not discriminate against an employee for exercising one of their other data subject rights under the Data Protection Law. This data subject right is different to the rights under the DIFC Employment Law, which permit an employee to claim discrimination based on a protected characteristic. This is a new provision introduced by the Data Protection Law that could have far-reaching implications for employment relationships.
If, in response to an employee exercising one of their data subject rights, an employer must stop processing employee personal data, this could threaten the continuance of the employment relationship. However, and in light of the risk of a fine of up to $100,000 for any contravention of a data subject's rights, employers must carefully manage employee personal data rights against their business demands.
The approaching compliance deadline date of 1 October 2020 should spur employers that have yet to review employee policies, contracts and data processing to urgently do so and put a plan in place to make any necessary changes. There are additional issues which employers should be thinking about, including the new and updated definitions in the Data Protection Law. For example, consideration should be given to when an employer may be acting in the capacity of a controller, processor or joint controller in relation to employee personal data, as well as the updated meaning of 'special categories of personal data' to include communal origin, political affiliation and criminal recorded information.
Employers must also be clear as to who is classified as an 'employee' for the purposes of the Data Protection Law. Where businesses engage contractors or consultants, it is likely that different lawful grounds will need to be identified for the processing of non-employee personal data and special category personal data.
In addition to the risk of fines and other regulatory penalties, compliance with the Data Protection Law will be vital to:
- uphold employee relations;
- maintain client and stakeholder confidence; and
- support business continuity and growth.
