🇦🇪 Live Privacy & Data Protection

DIFC Data Protection Law (Law No. 5 of 2020)

Governs the processing of personal data within the Dubai International Financial Centre, establishing data protection principles, data subject rights, and obligations for controllers and processors operating in the DIFC free zone.

View official source document

Rules extracted

Obligations decomposed

6.5x

Avg obligations per rule

🇦🇪 United Arab Emirates

Jurisdiction

About this regulation

DIFC Law No. 5 of 2020 was enacted on 1 July 2020, repealing and replacing the previous Data Protection Law No. 1 of 2007. It establishes a comprehensive GDPR-aligned data protection framework for the Dubai International Financial Centre free zone, administered by the Commissioner of Data Protection. The law covers lawful bases for processing, special categories of personal data, consent requirements, data subject rights, controller and processor obligations, cross-border transfers, DPO requirements, breach notification, data protection impact assessments, and enforcement with administrative fines. It applies to controllers and processors incorporated in the DIFC or processing personal data within the DIFC as part of stable arrangements.

What AuditDSS covers

Source

Regulation

Extracted

Rules

Decomposed

Obligations

6.5x

Decomposition ratio

Each rule is decomposed into an average of 6.5 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 65 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in DIFC Law No. 5/2020 is scored across independent risk dimensions:

Obligation Weight

How critical within the regulatory framework

Violation Likelihood

How often breached in practice

Enforcement Evidence

Regulator enforcement history and penalties

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title: DIFC Data Protection Law (Law No. 5 of 2020)
Regulatory body: DIFC Commissioner of Data Protection
Jurisdiction: 🇦🇪 United Arab Emirates
Document type: law
Effective date: July 1, 2020
Issuing authority: Ruler of Dubai / Dubai International Financial Centre Authority
Industry: Privacy & Data Protection
Official source: View source document ↗

Who this applies to

controllers in DIFCprocessors in DIFCentities offering goods/services to DIFC data subjects

Key requirements

lawful basis for processing (6 bases)
data protection officer designation
data protection impact assessment
records of processing activities
data subject rights (access, rectification, erasure, portability, objection)
automated decision-making protections
data export restrictions
personal data breach notification
Commissioner oversight and enforcement
fines up to USD 100,000

Frequently asked questions about DIFC Law No. 5/2020

What is DIFC Law No. 5/2020?

Who does DIFC Law No. 5/2020 apply to?

DIFC Law No. 5/2020 applies to controllers in DIFC, processors in DIFC, entities offering goods/services to DIFC data subjects.

How many obligations does DIFC Law No. 5/2020 contain?

AuditDSS has decomposed DIFC Law No. 5/2020 into 65 atomic obligations from 10 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of DIFC Law No. 5/2020?

The key requirements include: lawful basis for processing (6 bases), data protection officer designation, data protection impact assessment, records of processing activities, data subject rights (access, rectification, erasure, portability, objection), automated decision-making protections, data export restrictions, personal data breach notification, Commissioner oversight and enforcement, fines up to USD 100,000.

How can I assess my DIFC Law No. 5/2020 compliance?

Upload your compliance policy to AuditDSS. The platform maps your document against all 65 DIFC Law No. 5/2020 obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces DIFC Law No. 5/2020?

DIFC Law No. 5/2020 is enforced in United Arab Emirates by DIFC Commissioner of Data Protection.

When did DIFC Law No. 5/2020 come into effect?

DIFC Law No. 5/2020 became effective on July 1, 2020.

What industry does DIFC Law No. 5/2020 apply to?

DIFC Law No. 5/2020 is primarily relevant to the Privacy & Data Protection industry. AuditDSS covers 71 regulations in this industry sector.

Build a DIFC Law No. 5/2020 compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for DIFC Law No. 5/2020 — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering DIFC Law No. 5/2020 requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine DIFC Law No. 5/2020 with other regulations into a single unified compliance pack for your business.

Build DIFC Law No. 5/2020 compliance pack

Already have a policy? Assess it against DIFC Law No. 5/2020

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

AI maps against 65 obligations

Your document is scored against every obligation in DIFC Law No. 5/2020. Each claim is mapped to the obligation tree and evaluated for coverage.

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.