Global Data and Cyber Handbook

Dubai International Financial Center (DIFC)

Select a Topic
Start Comparison
Data Processing in the Employment Context
Jump to
Data Processing in the Employment Context Start Comparison
Is an identified legal basis required in order to collect or process personal data or sensitive personal data in the employment context?

Last review date: 23 December 2024

Yes.

There are a range of legal bases that can be relied upon for this purpose, including where the processing relates to personal data:

  • the processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of a controller or a data subject in the context of the data subject's employment, including but not limited to recruitment, visa or work permit processing, the performance of an employment contract, termination of employment, the conduct of proceedings relating to employment and the administration of a pension, retirement or employee money purchase benefit; and
  • the processing is necessary for compliance with the applicable law to which the controller (i.e., the employer) is subject.

Further legal bases may be relevant in the context of an investigation into any alleged wrongdoing by the employee.

For the processing of special categories of personal data, the most generally relevant legal bases would be that the processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of a controller or a data subject in the context of the data subject's employment, including but not limited to recruitment, visa or work permit processing, the performance of an employment contract, termination of employment, the conduct of proceedings relating to employment and the administration of a pension, retirement or employee money purchase benefit scheme.

Can consent be validly obtained in the employment context?

Last review date: 23 December 2024

  • Yes, but this consent is typically more difficult to establish in an employment context (specify details below)

While it may be possible to rely on consent in the employment context, the DIFC Commissioner of Data Protection is known to take into account guidance published by the European Commission, the European Data Protection Board and its predecessor as well as the guidance published by the UK data protection regulator (the Information Commissioner's Office). Accordingly, reliance on consent in the employment context in DIFC could be difficult given the unequal bargaining power between the employer and employee meaning that the consent provided in such context is arguably not freely given.

Has the data privacy regulator issued guidance on use of artificial intelligence, automated decision making or profiling in an employment context – for example, relating to use in employee monitoring or hiring?

Yes

In September 2023, the DIFC enacted amendments to Regulations under the DIFC Data Protection Law. The new Regulation 10 concerning personal data processed through autonomous and semi-autonomous systems 10 is the first regulation of its kind in the Gulf region to impose specific obligations for controllers and processors with respect to the use of autonomous systems (such as AI systems).

{{ $store.state.loadingScreen.message }} ...