Introduction
The Dubai International Financial Centre (DIFC) has announced recent amends to the DIFC Data Protection Law No. 5 of 2020 (DPL) by way of DIFC Laws Amendment Law No.1 of 2025 (the Amendment Law).
The Amendment Law was enacted on 8 July 2025 and came into effect on 15 July 2025. You can view this amendment here.
The amendments are as a result of a recent consultation which ended on 26 May 2025. The amendments are a key measure to strengthening the data protection measures within the DIFC and providing a clearer approach for both individuals and organisations. The amendments also reinforce the DIFC’s position as having one of the most robust data protection regimes in the Middle East, which is built on innovation and accountability and aligns with best practice models such as the GDPR.
Key Developments
- Application and Extra-Territorial Scope (Article 6)
The application of the DIFC DPL has been clarified to explicitly include sub-processors who handle personal data within the DIFC regardless of its place of incorporation as part of stable arrangements. The application of the DIFC DPL no longer excludes stable arrangements conducted on an occasional basis, broadening the DIFC DPL’s application. - Cross-border transfers (Article 28)
The amendment clarifies the adequacy referential for assessing the suitability of third countries for receiving personal data. This therefore introduces a clearer expectation for the safeguards which need to be implemented for data disclosures to public authorities and third parties. The amendment will encourage organisations to perform due diligence and implement safeguards, where required. - Private Right of Action (Article 64A)
Individuals are now able to bring compensation claims directly before the DIFC Courts if they suffer damage as a result of a breach of the DIFC DPL. This new right is without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with the DIFC Data Protection Commissioner. The introduction of this new private right of action strengthens the legal options available to individuals. - Fines (Schedule 2)
There have been a number of updates on the fines under the DIFC DPL. This includes;
a. adding a new fine of $25,000 for a failure by a Data Protection Officer to conduct an annual assessment regarding a controller’s processing activities under Article 19;
b. increasing the fine for failing to carry out Data Protection Impact Assessments from $20,000 to $50,000 under Article 20;
c. and increasing the fine for contravening the data sharing provisions under Article28 of the DIFC DPL from $10,000 to $50,000.
Impact
The amendments provide updates aimed at both organisations and individuals to strengthen data protection practices and provide clarity on practical implementation. One critical point to be aware of is that organisations are likely to face increased exposure given the new private right of action. Therefore, enhanced care will need to be taken to ensure robust policies and procedures are in place, as individuals gain a deeper awareness and additional recourse over their personal data.
/Passle/59994aefb00e801a0c1447be/SearchServiceImages/2025-09-01-10-00-06-292-68b56ea6577e0e7609edfce4.jpg)
/Passle/59994aefb00e801a0c1447be/SearchServiceImages/2025-08-28-07-42-34-171-68b0086a1264baebeba02d51.jpg)
/Passle/59994aefb00e801a0c1447be/SearchServiceImages/2025-08-26-13-09-54-916-68adb22243613ebba9f07e13.jpg)