Where your AI data is allowed to sit
DIFC DPL Art 24 (international transfers); DIFC Adequacy List
What the rule is
Data residency is about where your AI data is held and processed. The rule favours keeping personal data inside the DIFC or in a jurisdiction the DIFC recognises as adequate.
The DIFC Adequacy List names the jurisdictions judged to offer strong enough protection. Sending data to a place on that list is generally allowed. Sending it elsewhere needs extra safeguards.
For transfers to non-adequate places, you typically need two things:
- DIFC Standard Contractual Clauses (SCCs), which are approved contract terms that bind the receiver to protect the data.
- A transfer impact assessment, which checks whether the data will really be safe at the destination.
One honest point matters here. Holding data in-country, such as in a UAE data centre, is not the same as DIFC adequacy. In-country compute can be a strong choice, but adequacy is a separate legal status. Do not assume one gives you the other.
Why it matters
Cross-border data flows are easy to set up and easy to overlook. A transfer to the wrong place, without SCCs, is a breach even if nothing visibly goes wrong.
The DIFC Commissioner can review your transfers and the safeguards behind them. Missing SCCs or a missing transfer impact assessment is a clear gap. Where a transfer exposes people to harm, that failure can support a private right of action in the DIFC Courts.
How to comply
- Map where each AI system stores and processes personal data.
- Check each destination against the DIFC Adequacy List.
- Put SCCs in place for transfers to non-adequate places.
- Run a transfer impact assessment for those transfers.
- Record your residency decisions, and do not treat in-country compute as adequacy.
How regulation10.ae helps
regulation10.ae helps you map data flows, check destinations against the DIFC Adequacy List, and store SCCs and transfer assessments as evidence for assessment. We process in Azure UAE North, which is in-country compute; we are clear that this is not DIFC adequacy, and we help you handle transfers honestly. You get a documented view of where your data sits and why.
Map your data with the free readiness assessment, or see our plans.
Audit-ready, not certification
See where you stand
The free readiness assessment scores this obligation against your answers and links every gap back to a guide like this one.