DIFC Data Protection Law 2020 and visitor records: obligations for DIFC-registered organisations
Every DIFC-registered organisation that collects visitor data at its reception desk is processing personal data under the DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020). This guide explains the specific obligations that apply to visitor records and how MyGatePass is designed to help organisations meet them.
What is the DIFC Data Protection Law 2020?
The DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020) is the data protection legislation applicable to organisations registered in the Dubai International Financial Centre. It replaced the previous DIFC Data Protection Law of 2007 and is closely aligned with the GDPR in structure and principles. It is enforced by the DIFC Commissioner of Data Protection.
The law applies to any organisation that processes personal data in connection with its DIFC activities, including data collected at a reception desk, sign-in kiosk, or visitor management system.
What DIFC DPL requires for visitor data
Lawful basis for processing
DIFC Law No. 5 of 2020 requires a lawful basis for processing. For visitor data, the most applicable bases are: legitimate interests of the data controller (security, building access control), legal obligation (DIFC building access requirements), or consent. Legitimate interests is the standard basis for routine visitor access control.
Transparency obligations
Visitors must be informed, at the point of data collection, of what data is being collected, the purpose, the legal basis, and how long it will be retained. A privacy notice on the sign-in screen satisfies this requirement.
Data minimisation and purpose limitation
Collect only what is necessary for access control. Do not use visitor data for any secondary purpose without a fresh legal basis.
Retention limits
Set and enforce a retention period for visitor records. DIFC buildings typically apply 12–24 months for standard access logs, depending on the sensitivity of the areas accessed.
Security
Visitor records must be protected by appropriate technical and organisational measures. A paper log visible to all subsequent visitors fails this standard. Digital records with access controls and encryption do not.
Data subject rights
Visitors have rights including access, correction, and erasure. Organisations must have a process to handle these requests within the timeframes specified in the law.
How MyGatePass supports DIFC DPL compliance for visitor records
- Privacy notice at sign-in, display a configurable privacy notice before any data is collected.
- Minimised data collection, configure sign-in fields to collect only what your access control purpose requires.
- Automated retention management, set retention periods per visitor category; records are flagged for deletion automatically.
- Role-based access control, limit who within your organisation can view visitor records.
- Encrypted storage, records are encrypted at rest and in transit.
- Data subject request workflow, search, export, or delete individual visitor records in response to data subject requests.
Frequently asked questions
Does DIFC DPL apply to the building management company or to individual tenants?
Both. The building management company is a data controller for visitor data collected at the building reception. Individual tenants are data controllers for visitor data collected specifically for their own office reception. Both must comply with DIFC DPL for the data they respectively control.
What is the penalty for non-compliance with DIFC DPL?
The DIFC Commissioner of Data Protection can impose administrative fines of up to USD 100,000 per violation. The Commissioner can also issue enforcement orders requiring organisations to change their data processing practices.
Is DIFC DPL similar to GDPR?
Yes. DIFC Law No. 5 of 2020 is closely modelled on the GDPR in structure and principles. Organisations that are already GDPR-compliant for visitor data will find the DIFC DPL obligations familiar and largely overlapping. Key differences relate to enforcement structure and some specific procedural requirements, specialist legal advice is recommended.