4. Confidentiality Obligations

4.1 Although the DFSA has comprehensive powers to access confidential information so that it can properly discharge its regulatory functions, there are statutory limitations or restrictions on the way the DFSA uses and deals with confidential information. These limitations or restrictions are necessary to protect individual privacy and to assure regulated firms and individuals, and their clients, that the confidential information they provide to the DFSA will be dealt with in confidence and used only for lawful purposes.

Dubai Law No. 9 of 2004

4.2 Under Article 7 of Dubai Law No. 9 of 2004, which is the law under which the DFSA was established, the DFSA is required to keep confidential any confidential information obtained, disclosed or collected by it, in the course of performing its functions. The Article specifically prohibits the disclosure of confidential information to third parties except in circumstances permitted by DIFC laws and regulations.

DIFC Regulatory Law

4.3 Article 38(1) of the Regulatory Law parallels the above confidentiality provisions by prohibiting the DFSA, its employees, agents or any person from disclosing confidential information unless they have the consent of the person to whom the duty of confidentiality is owed or unless the disclosure is expressly authorised under Article 38(3) (see Part 5 below).

DIFC Data Protection Law

4.4 The DIFC Data Protection Law applies to everyone in the DIFC, including the DFSA. Its purpose is to protect privacy rights and to ensure an individual's personal information, which is presumed to be confidential information, is kept confidential and used only for the lawful purpose for which it was provided. The Data Protection Law only protects the privacy rights of individuals and not companies or other like entities.

4.5 The Data Protection Law requires the DFSA as a data controller, which is a person who obtains, stores or processes an individual's personal information, to do so fairly, lawfully, securely and only for the specific purpose it was obtained. The personal information must not be kept longer than necessary and if inaccurate or incomplete must be rectified or erased.

UAE Penal Code

4.6 It is a criminal offence under Article 379 of the UAE Penal Code, Federal Law No. 3 of 1987, (which applies in the DIFC) for any person including the DFSA, its employees and agents to disclose confidential information to third parties without having the legal authority to do so. This Article applies to all persons, not just currently serving public officers. However, it imposes more severe penalties on public officers if they disclose such information in cases other than those permitted by the law.