The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardize data protection laws and processing across the UAE and beyond; affording individuals stronger, more consistent rights to access and control
their personal information whether customer or employee.
This policy sets out the basis on which any personal data we collect or that is provided to us, will be processed by us. For the purposes of the Federal Decree-Law No. 45/2021 on the Protection of Personal Data (the “Law”), the data controller is FZCO.
Personal data
See Appendix A for the references relating to the policy. The Law applies to ‘personal data’ (see Article 6) meaning any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data, or online identifier, reflecting changes in technology and the way organizations collect information about people.
The Law applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymized – e.g., key-coded – can fall within the scope of the Law depending on how difficult it is to attribute the pseudonym to a particular individual and under Article 22(c) of the Law.
Appendix B displays Articles 9 to 11 of the Law for ease of reference.
Sensitive personal data
The Law refers to sensitive personal data as “special categories of personal data” (see Article 11).
The special categories specifically include race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life; or sexual orientation where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing (see Article 10).
CFP Technology FZCO (‘we’ or ‘us’ or ‘our’) are committed to ensuring the security and protection of the personal information that we process, and to providing a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place that complies with existing law and abides by data protection principles. However, we recognize our obligations in updating and expanding this program to meet the demands of the Law and the UK’s Data Protection Bill.
CFP Technology FZCO is dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose, and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and implementation objectives for Law compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls, and measures to ensure maximum and ongoing compliance.
What are the lawful bases for processing?
There are six lawful bases for the processing which are set out in Article 6 of the Law. At least one of these must apply whenever we process personal data:
(a) Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The principle of accountability requires that we can demonstrate that we are complying with the Law and have appropriate policies and processes. This means that we need to be able to show that we have properly considered which lawful basis applies to each processing purpose and can justify our decision.
We, therefore, keep a record of which basis we are relying on for each processing purpose, and a justification for why we believe it applies.
It is our responsibility to ensure that we can demonstrate which lawful basis applies to the particular processing purpose.
See the accountability section of this guide for more on this topic.
Registration: Our business is registered with the DIFC Commissioner’s Office. Details will be available on the DIFC’s public register.
CFP Technology FZCO already has a consistent level of data protection and security across our organization, however, it was our aim to be fully compliant with the Law.
We organized an information audit across our business to identify the data that we process and how it flows into, through, and out of our business.
Having audited our information, we then identified any risks.
We have documented our findings in the Information Asset Register. This register will be reviewed any time a new process or purpose of the data is used.
As we have less than 250 employees then we must keep records of any processing activities that:
We may be required to make these records available to the Commissioner on request.
Lawful bases for processing personal data: Our business has identified the lawful bases for processing and appropriately documented them. Our decision on the lawful bases for processing will have an effect on individual’s rights. For example, if we rely on someone’s consent to process their data, they will have a stronger right to have their data deleted. It is important that we inform individuals how we intend to process their personal data and what our lawful bases are for doing so, for example in our privacy notice(s).
Our Lawful Bases for Processing
Consent: Our business has reviewed how we ask for and record positive consent
Consent is not always required, and we should always assess whether another lawful basis is more appropriate.
Consent means offering people genuine choice and control over how we use their data. We can build trust and enhance our business by using consent properly.
The Law has a standard of consent in several areas and contains much more detail. For example, we must;
Consent: Our business systems record and manage ongoing consent
We continue to review consent as part of our ongoing relationship with individuals.
We keep our client’s consent under review and refresh it if anything changes. We have a system or process to capture these reviews and record any changes.
Contract: When is the lawful basis for contracts likely to apply?
We have a lawful basis for processing if:
Legal Obligation: When is the lawful basis for legal obligations likely to apply?
In short, when we are obliged to process personal data to comply with the law.
Article 6(3) requires that the legal obligation must be laid down by UK or EU law. Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. So, it includes clear common law obligations.
This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that our overall purpose must be to comply with a legal obligation that has a sufficiently clear basis in either common law or statute.
We should be able to easily identify the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, we can refer to a government website or to industry guidance that explains generally applicable legal obligations.
It’s clear from Recital 46 of the Law that vital interests are intended to cover only interests that are essential for someone’s life. So, this lawful basis is very limited in its scope, and generally only applies to matters of life and death. It is likely to be particularly relevant for emergency medical care when anyone needs to process personal data for medical purposes, but the individual is incapable of giving consent to the processing.
This basis does not apply to our company.
This can apply if we are either:
This basis does not apply to our company.
Legitimate Interests:
Article 6(1)(f) gives us a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This can be broken down into a three-part test:
A wide range of interests may be legitimate interests. They can be our own interests or the interests of third parties, commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.
We will complete a legitimate interest assessment if we have to rely on this basis.
This basis is not likely to apply to our company.
We must still have a lawful basis for our processing under Article 6, in exactly the same way as for any other personal data. The difference is that we will also need to satisfy a specific condition under Article 9. See the definition above
This is because special category data is more sensitive, and so needs more protection.
This means we must either be processing the data in an official capacity or have specific legal authorization – which in the UK, is likely to mean a condition under the Data Protection Bill and compliance with the additional safeguards set out in the Bill.
Data Subject Rights
In addition to the policy and procedures mentioned above that ensure individuals can enforce their data protection rights, we operate a system of data retention that easily accommodates any request the data subject may make.
We provide easy-to-access information via [our website, in the office, during induction, etc of an individual’s right to access any personal information that CFP Technology FZCO processes about them.
The individual may request information about:
When we provide privacy notices to individuals.
Individuals need to know that their data is collected, why it is processed, and who it is shared with.
We publish this information in our privacy notice on our website and within any forms or letters we send to individuals.
The information will be:
The information we supply is determined by whether or not we obtained the personal data directly from the individual or from a third party. The only exception is that third-party provider does not require “details of whether individuals are under a statutory or contractual obligation to provide the personal data”.
You have the right to obtain information on the categories of personal data being processed, the purpose of the processing, the decisions made upon automated processing, and entities with whom the personal data is shared. Individuals have the right to obtain:
We provide a copy of the information free of charge. However, we may charge a ‘reasonable fee’ when a request:
The fee must be based on the administrative cost of providing the information. See Article 33(8) of the Law.
The information must be provided without delay and at least within one calendar month of receipt. We can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). A calendar month ends on the corresponding date of the next month (e.g. 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (e.g. 31 January to 28 February).
We must verify the identity of the person making the request, using “reasonable means”.
If the request is made electronically, we should provide the information in a commonly used electronic format.
How we ensure personal data held by us remains accurate and up to date
Under Article 33(1) of the Law, individuals have the right to have personal data rectified if it is inaccurate or incomplete.
We will always respond to a request without delay and at least within one month of receipt.
We can extend this period by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). If we have disclosed the personal data to a data processor (third party) we must inform them of the rectification where possible.
We will regularly review the information we process or store to identify when we need to do things like correct inaccurate records. We will maintain a Records Management Policy, with rules for creating and keeping records (including email addresses) if our records grow or are above 500 names.
We securely dispose of personal data that is no longer required or where an individual has asked us to erase it.
Individuals have the right to be forgotten and can request the erasure of personal data when:
We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
We will keep data as explained in “How We Implemented The Law” above
Article 35 states we should maintain adequate procedures to respond to an individual’s request to restrict the processing of their personal data, subject to the legal basis for processing as discussed above.
Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, and rights of a Data Subject or that the circumstances in Article 34(3) apply.
If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear, and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the Processing at the request of the Data Subject, then the Controller may continue Processing the Personal Data in the same manner, subject to this Law in all other respects.
We maintain adequate and proportional processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to effective usability, if applicable.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
They can receive personal data or move, copy, or transfer that data from one business to another in a safe and secure way, without hindrance.
The right to data portability only applies:
We must provide the personal data in a structured, commonly used, and machine-readable format. Examples of appropriate formats include CSV and XML files.
We must provide the information free of charge.
If the individual requests it, we may be required to transmit the data directly to another business where this is technically feasible.
We have adequate procedures to handle an individual’s objection to automated decisions made by automated processing of your personal data.
Individuals have the right to object to:
Individuals must have an objection on “grounds relating to his or her particular situation”.
However, for processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority or for purposes of scientific/historical research and statistics, we must stop processing personal data unless:
Individuals also have the right to object to any processing undertaken for the purposes of direct marketing (including profiling). We will stop processing for direct marketing as soon as we receive an objection. There are no exemptions or grounds to refuse.
Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, and rights of a Data Subject or that the circumstances in Article 34(3) apply.
If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear, and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the Processing at the request of the Data Subject, then the Controller may continue Processing the Personal Data in the same manner, subject to this Law in all other respects.
We will inform individuals of their right to object “at the point of first communication” and clearly lay this out in our privacy notice.
We have identified whether any of our processing operations constitute automated decision-making and have procedures in place to deal with the requirements.
The Law provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
Individuals have the right not to be subject to a decision when:
The right does not apply if the decision:
If suitable measures to safeguard the rights of data subjects are required, these must include at least:
The Law defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular, to analyze or predict their:
If the decision involves the processing of special categories of personal data, then the exceptions available to justify the processing are more limited.
Processing can only take place if:
We will exercise particular caution if using automated decision-making in relation to a child.
Under Article 39 of the Law, we do not discriminate against any data subject, which provides certain conditions.
Where there is a justified objection, Processing initiated by a Controller shall no longer include that Personal Data and Article 22 shall apply with respect to such Personal Data. An objection under Article 34(1)(a) is deemed justified unless the Controller can demonstrate compelling grounds for such Processing that overrides the interests, and rights of a Data Subject or that the circumstances in Article 34(3) apply.
If a Controller collected Personal Data from a Data Subject and the Controller can demonstrate that the information provided to the Data Subject under Article 29(1)(h)(ix) was explicit, clear, and prominent with respect to the manner of Processing the Personal Data and expressly stated that it would not be possible to implement an objection to the
Processing at the request of the Data Subject, then the Controller may continue. Processing the Personal Data in the same manner, subject to this Law in all other respects.
Our business has this data protection policy to permit all staff access to understand how data is processed within the business.
The Law requires us to show how we comply with the principles.
Our business monitors our compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.
Documenting policies alone is often not enough to provide assurances that staff is adhering to the processes they cover. We will ensure that we have a process to monitor compliance with data protection and security policies.
Measures that are detailed within the policies should be regularly tested to provide assurances as to their continued effectiveness.
Where relevant our business provides data protection awareness training for all staff.
We brief all staff handling personal data on their data protection responsibilities when they join our company.
Whenever we use a processor, we will have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities. The Law sets out what needs to be included in the contract.
In the future, standard contractual clauses may be provided by the Ruler or the Commissioner and may form part of certification schemes. However, at the moment no standard clauses have been drafted.
We are liable for our processor’s compliance with the Law and must only appoint processors who can provide “sufficient guarantees” that the requirements of the Law will be met and the rights of data subjects protected. In the future, using a processor that adheres to an approved code of conduct or certification scheme may help us to satisfy this requirement.
Processors must only act on our documented instructions. They will however have some direct responsibilities under the Law and may be subject to sanctions if they don’t comply.
We actively manage information risks in a structured way so that management understands the business impact of personal data-related risks and manages them effectively.
We set out how we (and any of our data processors) manage information risk. We employ strategies to help manage the risk, such as:
We have implemented appropriate technical and organizational measures to integrate data protection into our processing activities.
Under the Law, we have a general obligation to implement appropriate technical and organizational measures to show that we have considered and integrated data protection into our processing activities. Under the Law, this is referred to as data protection by design and by default.
We understand when we must conduct a DPIA we have appropriate processes in place to action this. We currently do not hold any sensitive data that would require a DPIA.
DPIAs help us to identify the most effective way to comply with our data protection obligations and meet individuals’ expectations of privacy.
An effective DPIA will allow us to identify and fix problems at an early stage, reducing the associated costs and damage to our reputation which might otherwise occur.
We must carry out a DPIA when:
Processing that is likely to result in a high risk includes but is not limited to:
The DPIA should contain the following information:
We have a DPIA framework that links to our existing risk management and project management processes.
A DPIA can address multiple processing operations that are similar in terms of the risks, provided adequate consideration is given to the specific nature, scope, context, and purposes of the processing.
We will start to assess the situations where it will be necessary to conduct one, including:
If the processing is wholly or partly performed by a data processor, then that processor must assist us in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances.
CFP Technology FZCO takes the privacy and security of individuals and their personal information very seriously and takes every reasonable measure and precaution to protect and secure the personal data that we process.
We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure, or destruction and have several layers of security measures, including SSL, access controls, password policy, encryptions, pseudonymization, practices, restriction, IT, authentication, etc.
Due to the size of our company, we do not have an appointed Data Protection Officer, and the principal will be the point of contact for all inquiries.
CFP Technology FZCO understands that continuous employee awareness and understanding is vital to the continued compliance of the Law and has involved our employees in our implementation plans. We have implemented an employee training program specific to the which will be provided to all employees and form part of our induction and annual training program.
If there are any questions about our implementation of the Law, please contact [Data Protection Officer (DPO)/Appointed Person].
Subject to Article 16 (3) we have nominated a data protection lead or Data Protection Officer (DPO).
It is important to make sure that someone in our business, or an external data protection advisor, takes responsibility for data protection compliance.
We may need to appoint a DPO if we:
The DPO should work independently, report to the highest management level, and have adequate resources to enable our organization to meet its obligations under the Law.
The DPO’s minimum tasks are to:
Our decision-makers and key people are keen to demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
We will make sure that decision-makers and key people in our business are aware of the requirements under the Law.
Decision makers and key people should lead by example, demonstrating accountability for compliance with the Law and promoting a positive culture, within our business, for data protection.
They should take the lead when assessing any impacts on our business and encourage a privacy-by-design approach.
They should help to drive awareness amongst all staff regarding the importance of exercising good data protection practices.
Our business uses this information security policy supported by appropriate security measures.
We must process personal data in a manner that ensures appropriate security.
Before we can decide what level of security is right for us, we will need to assess the risks to the personal data we hold and choose security measures that are appropriate to our needs.
Keeping our IT systems safe and secure can be a complex task and does require time, resources, and (potentially) specialist expertise.
If we are processing personal data within our IT system(s) we recognize the risks involved and take appropriate technical measures to secure the data.
The measures we have put in place fit our business’s needs.
We have a separate Information Security policy that details our approach to information security, the technical and organizational measures that we will implement, and the roles and responsibilities staff have in relation to keeping information secure.
These restrictions are in place to ensure that the level of protection of individuals afforded by the Law is not undermined.
Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the Law.
We have effective processes to identify, report, manage, and resolve any personal data breaches.
The Law introduces a duty on all organizations to report certain types of personal data breaches to the Commissioner and, in some cases, to the individuals affected.
A personal data breach means a breach of security leading to the destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data.
We understand that we only have to notify the Commissioner of a breach where it is likely to result in a risk to the rights and freedoms of individuals and in that event, we must notify those concerned directly and without undue delay.
In all cases, we will maintain records of personal data breaches, whether or not they were notifiable to the Commissioner.
A notifiable breach has to be reported to the Commissioner within 72 hours of the business becoming aware of it. The Law recognizes that it will often be impossible to investigate a breach fully within that time period and allows us to provide additional information in phases.
We make sure that our staff understands what constitutes a personal data breach, and that this is more than a loss of personal data. We have an internal breach reporting procedure in place. This will facilitate decision-making about whether we need to notify the relevant supervisory authority or the public.
To view the Appendix, download the full text of the file at the top
Please, read the information about CFPS Fees and Limits on the Fees page.