UAE - DIFC Jurisdiction: Prospective Filing System Inclusion

The factor of Prospective Filing System Inclusion is addressed in the DIFC Data Protection Law (DPL), ensuring that the law applies to data processing activities performed manually if the personal data is intended to be part of a filing system.

Text of Relevant Provisions

DIFC DPL Art.6(2)(b):

"(2) This Law applies to the Processing of Personal Data: (b) other than by automated means where the Personal Data forms part of a Filing System or is intended to form part of a Filing System."

Original (Arabic):

"٢) تسري أحكام هذا القانون على معالجة البيانات الشخصية: (ب) التي تتم بوسائل غير مؤتمتة حيث تكون البيانات الشخصية جزءًا من نظام ملفات أو يُراد إدخالها في نظام ملفات."

Analysis of Provisions

• DIFC DPL Art.6(2)(b) explicitly extends the scope of the law to include non-automated processing of personal data, provided that the data "forms part of a Filing System or is intended to form part of a Filing System." This provision ensures that data protection obligations are triggered not only when data is currently part of a structured filing system but also when there is an intention to organize the data into such a system.
• The inclusion of the phrase "intended to form part of a Filing System" is crucial. It captures scenarios where personal data is collected and initially processed manually but is planned to be incorporated into an organized filing system at a later stage. This prevents data controllers and processors from circumventing the law by delaying the formal organization of data into a filing system.
• The rationale behind this inclusion is to maintain robust data protection standards by covering all relevant data processing activities, regardless of the timing of their organization. By ensuring that data intended for filing systems is subject to the law, the DIFC DPL provides comprehensive protection from the moment of data collection, even if the data is not yet fully structured.

Implications

• For businesses operating within the DIFC, this provision means that manual data processing activities are subject to the DPL if the data is intended to be part of a filing system. Companies must ensure compliance with data protection regulations from the outset of data processing, particularly if there is an intention to later organize the data into a systematic filing system.
• An example could be a legal firm in the DIFC that collects client information on paper forms, intending to digitize and organize the data into an electronic filing system. Even before the digitization occurs, the firm must comply with the DPL because the data is intended to form part of a filing system.
• This provision emphasizes the need for businesses to implement data protection measures early in the data processing lifecycle. The applicability of the law is not limited to automated processes but also extends to manual activities that will eventually lead to the data being included in a filing system.