The DIFC Data Protection Law (DPL) uses the factor of "Processing by Local Establishment" to determine its applicability to controllers and processors operating within the Dubai International Financial Centre (DIFC). ## Text of relevant provision DIFC DPL Art.6(3)(b) states: "This Law applies to a Controller or Processor, regardless of its place of incorporation, that Processes Personal Data in the DIFC as part of stable arrangements, other than on an occasional basis. This Law applies to such Controller or Processor in the context of its Processing activity in the DIFC (and not in a Third Country), including transfers of Personal Data out of the DIFC." ## Analysis of provisions The provision establishes two key criteria for the law's applicability: 1. Processing Personal Data in the DIFC: The law applies to controllers and processors that process personal data within the DIFC's jurisdiction. This is indicated by the phrase "Processes Personal Data in the DIFC". 2. Stable arrangements: The processing must be part of "stable arrangements" rather than occasional processing. This suggests a level of permanence or regularity in the data processing activities within the DIFC. The law explicitly states that it applies "regardless of its place of incorporation", meaning that the entity's legal registration location is not a determining factor. Instead, the focus is on the actual processing activities taking place within the DIFC. The provision also clarifies that the law applies "in the context of its Processing activity in the DIFC (and not in a Third Country)". This limits the scope to activities within the DIFC while acknowledging that the law also covers "transfers of Personal Data out of the DIFC". ## Implications This applicability factor has several implications for businesses: 1. Physical presence: Companies with a physical presence in the DIFC that process personal data as part of their regular operations will likely fall under the law's scope. 2. Remote processing: Entities without a physical presence in the DIFC may still be subject to the law if they process personal data within the DIFC through stable arrangements, such as using cloud services or data centers located in the DIFC. 3. Occasional processing: Companies that only process personal data in the DIFC on an occasional basis may not be subject to the law. However, the threshold between "occasional" and "stable arrangements" is not clearly defined and may require case-by-case assessment. 4. Data transfers: While the law primarily focuses on processing within the DIFC, it also covers transfers of personal data out of the DIFC. This means that companies processing data in the DIFC must comply with the law's requirements even when transferring data to other jurisdictions. 5. Global companies: Multinational corporations with operations in the DIFC need to ensure compliance with the DIFC DPL for their DIFC-based data processing activities, regardless of where the company is headquartered or incorporated.