Polisee

DIFC

(Test) Regulation 10 - Annex A (Proposed Changes)

We're seeking views on this draft from regulated entities, law firms, NGOs, and civil society. Submissions are most useful when they address specific provisions and cite evidence when appropriate.

Closes 22 July 2026 · 5 days left

Supporting documents

The document

Your browser can’t show the document inline. Open it in a new tab ↗
Open the full document in a new tab ↗

The regulator’s questions

Answer the regulator’s questions

The regulator would value your view on these. Answer any that apply — they’re optional.

Question 1

· Whole document

Do you understand and agree with the changes to Regulation 10, particularly with respect to the AI-native jurisdiction initiative? If not, please provide your reasoning and details of specific concerns.

Question 2

Section 10.3.1

Do you understand and agree with new concept definition of “Safety” included in Regulation 10.3.1(f)? Please provide your reasoning and details of specific feedback, including any ambiguity or concerns.

Read section 10.3.1

10.3.1 · A System developed and utilised in products, services, or other use cases that…

10.3.1 A System developed and utilised in products, services, or other use cases that may impact a Data Subject, negatively or positively, must be designed in accordance with the following concepts:9 (a) Ethical: algorithmic decisions and the associated data lineage of a System should be unbiased and mitigated. This principle is closely linked with the principles of fairness and transparency. (b) Fairness: Systems should be designed to treat all individuals equally and fairly, regardless of race, gender, or other specifically subjective factors. Additionally, Systems should be designed to avoid potential biases, including unjust bias, or where possible, mitigate bias that could lead to unfair outcomes. (c) Transparent: a System must ensure that Processing of Personal Data is explainable to Data Subjects and other stakeholders in non-technical terms, with appropriate supporting evidence. (d) Secure: a System must keep Personal Data protected and kept confidential and prevent data breaches which could cause reputational, psychological, financial, professional, physical or other types of harm. (e) Accountability: a System must have mechanisms in place to ensure responsibility and accountability for enabling its Systems and outcomes. Such mechanisms may include internal governance and control frameworks in place for monitoring the System, processes and projects regularly or external organisation auditing processes regularly, enabling the assessment of algorithms, data and design processes. 9 Guidance on Regulation 10.3.1(a) – (e): This provision gives force to the fundamental principles of fairness, ethical compliance, transparency, security of operation and accountability that each System that is used to process Personal Data must ultimately comply with. The regulatory purpose of the provision is to establish these principles as overarching requirements that Systems must be designed to comply with. However, the provision purposefully does not limit its application to “developers” of Systems only, because it anticipates that ultimately it may be “Deployers” and “Operators” that, being the visible entities with direct exposure to any data subjects impacted by the operation of the System, must be held accountable for compliance. “Deployers” and “Operators” would then ensure in turn that they procure Systems only from “developers” that can give them contractual comfort of compliance-by-design with these principles. DATA PROTECTION REGULATIONS 13 CONFIDENTIAL (e)(f) Safety: a System must be designed, developed, and operated with safeguards to identify the use of personal data, assess and mitigate risks of harm to individuals, and intended to prevent discriminatory or biased outcomes through appropriate oversight, testing, and controls.

Question 3

Sections 10.3.3, 10.3.4

Do you believe the ASO obligations and skills have been sufficiently detailed in this update? If not, please suggest additional requirements and your reasons for this.

Read sections 10.3.3, 10.3.4

10.3.3 · No person may use, operate, provide, offer or otherwise make available for…

10.3.3 No person may use, operate, provide, offer or otherwise make available for commercial use a System to engage in High Risk Processing Activities, unless:11 (a) the Commissioner has established audit and certification requirements applicable to Systems used in High Risk Processing Activities; (b) the System complies with all such requirements; (c) the System Processes Personal Data solely for human-defined or human-approved purposes; and (d) the Deployer or Operator has appointed an Autonomous Systems Officer (ASO), who shall: (i) possess at a minimum, similar competencies and level or organisational authority required of a DPO as set out in Article 17 and Article 18 of the Law; and (ii) hold additional qualifications and exercise responsibilities that extend beyond those of a DPO, including the regulatory, technical and organisational expertise to ensure effective governance and oversight of the System and ongoing validity, maintenance and compliance of the System’s certification.

10.3.4 · Where a Deployer or Operator is not required to appoint an ASO in accordance…

10.3.4 Where a Deployer or Operator is not required to appoint an ASO in accordance with Regulation 10.3.3, it shall: (a) clearly allocate responsibility for oversight and compliance with respect to compliance obligations, or any other applicable, similar regulations or principles frameworks, within its organisation; and (b) provide details of the persons with such responsibility to the Commissioner upon request.

Question 4

Section 11.1.2

Is Regulation 11 clear and aligned with legal frameworks implementing similar accreditation and certification standards, such as the Global Cross Border Privacy Rules and Privacy Recognition for Processors?

Read section 11.1.2

11.1.2 · For purposes of the Law, the Commissioner may recognise and issue accreditation…

11.1.2 For purposes of the Law, the Commissioner may recognise and issue accreditation to accredited certification bodies and relevant certifications confirmed under the frameworks referred to in Regulation 11.1.1 via publication, a Direction or other valid mechanism. DATA PROTECTION REGULATIONS 16 CONFIDENTIAL

Question 5

· Whole document

Do you have any other comments or suggestions in relation to the proposed updates?

Your comments

Comment on the document

Comment on a specific section: choose the section, then write your view. Add as many as you like. (For feedback on the document as a whole, use the general comments box below.)

General comments

Comment on the document as a whole

Overall views, themes, or anything not tied to one section.

Add at least one comment or answer.