Applicability of Data Protection Law in UAE - DIFC: Filing System Criterion

The "Filing System Criterion" is used to determine whether manual processing of personal data falls within the scope of data protection laws. It applies to personal data that is organized in a structured manner, allowing for easy retrieval. In the context of DIFC (Dubai International Financial Centre), this criterion is relevant under the DIFC Data Protection Law (DPL).

Text of Relevant Provisions

DIFC DPL Art.6(2)(b):

"(2) This Law applies to the Processing of Personal Data: (b) other than by automated means where the Personal Data forms part of a Filing System or is intended to form part of a Filing System."

Analysis of Provisions

The Filing System Criterion in DIFC DPL Art.6(2)(b) specifies that the law applies to the processing of personal data not only by automated means but also to manual processing if the data forms part of a filing system or is intended to form part of a filing system. This provision ensures that personal data, even when processed manually, is subject to data protection regulations if it is structured in a way that allows for systematic retrieval.

Key elements of this provision include:

• Other than by automated means: This extends the law’s scope to include manual data processing.
• Forms part of a Filing System: This implies that the personal data must be organized in a structured set that can be accessed according to specific criteria.

By including manual data processing within its scope, the DIFC DPL ensures comprehensive data protection coverage. This means that any manual records that are systematically arranged and can be retrieved based on specific criteria are covered by the law.

Implications

For businesses operating within the DIFC, the inclusion of the Filing System Criterion means they must ensure compliance with data protection regulations not only for digital data but also for manual records that are organized in a structured way. This broadens the scope of compliance requirements and highlights the importance of maintaining proper data management practices for all types of data storage systems.

Examples:

• Applies: A law firm in DIFC maintains client records in a filing system where documents are organized by case number and client name. This system would be subject to DIFC DPL.
• Does not apply: A small consultancy keeps ad-hoc notes about clients without any structured organization. This would not meet the Filing System Criterion and thus fall outside the scope of DIFC DPL.

Understanding and adhering to the Filing System Criterion is crucial for data controllers and processors within DIFC to ensure that they are fully compliant with the data protection laws.