Last review date: 23 December 2024

Under the DIFC Data Protection Law, personal data is defined as any information referring to an identified or Identifiable Natural Person (being a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity).

Last review date: 23 December 2024

Under the DIFC Data Protection Law, special category data is defined as personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.

Sensitive data includes:

• personal data revealing racial or ethnic origin
• personal data revealing political opinions
• personal data revealing religious or philosophical belief
• personal data revealing trade union membership
• genetic data
• biometric data for the purpose of uniquely identifying a natural person
• data concerning health/medical information
• data concerning a natural person’s sex life or sexual orientation
• personal data regarding an individual's criminal convictions or record

Last review date: 23 December 2024

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

• the controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
• the processor/agent is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller?

Yes.

Both concepts are defined in a similar manner to the same terms used in the GDPR; namely a Controller is any person who alone or jointly with others determines the purposes and means of processing Personal Data; and a Processor is defined as any person who processes Personal Data on behalf of a Controller.