Yes. There are restrictions on cross-border transfers of personal data, which are similar to those contained in the EU General Data Protection Regulation. Transfers should be to a jurisdiction that affords personal data an adequate degree of protection (a list of adequate jurisdictions is available here) or ensures that the transfer satisfies one of the other requirements set out in Article 27 of the Data Protection Law (Dubai International Financial Centre ("DIFC") Law No. 5 of 2020, as amended by DIFC Law No. 2 of 2022) ("DPL").

In relation to cross-border transfers of personal data to a jurisdiction that is not recognized as adequate, the parties are obliged to enter into the appropriate form of model clauses (available here) adopted by the DIFC commissioner (responsible for supervising and enforcing the DPL). Where processing is subject to the UK or EU standard contractual clauses (“SCCs”), the commissioner will allow the parties to rely on these SCCs (on the grounds that they are intended to achieve the same purpose as the DIFC SCCs) provided that details of the transfers to or from the DIFC are described in the exhibit and the parties expressly agree that the DIFC commissioner may have jurisdiction in respect of the processing being carried out.