Ioana Georgescu considers the UAE’s first federal data protection law, UAE Federal Decree-Law no.45 of 2021 on Protection of Personal Data (PDPL), the impact it has on personal data protection in the UAE and discusses the potential impacts for businesses.
As a result of digital globalisation, in today’s market data can be easily accessed and transmitted across borders making data protection a key issue for many companies to consider as part of their regulatory framework.
Laws and regulations are regularly introduced or updated in the UAE, providing a challenge for organisations to keep up and ensure compliance with data privacy. One such example is the recent introduction of the PDPL in the UAE, which came into effect on 2 January 2022. This new regulation highlights personal data protection and states that all businesses operating in the UAE, or those based outside the UAE that process personal data in the UAE, must evaluate their activities and make changes in line with the PDPL. Although the PDPL took effect on 2 January 2022, it will not be enforced until 6 months after the publication of further implementing regulations.
Furthermore, the UAE Federal Decree-Law No.44 of 2021 on the establishment of the UAE Data Office, introduced a single national privacy regulatory authority responsible for the application of PDPL, the UAE Data Office, on 20 September 2021.
The introduction of these laws aims to align the UAE’s Federal law with global best practice data protection principles, including the consideration of transparency and accountability. The Law introduces Data Subject rights, data breach requirements, data protection impact assessments, data transfer requirements and notification and record keeping requirements. A summary of the laws can be found below.
Who does the law apply to?
The provisions of this law apply to:
- Any Data Subject who resides in, or has a place of business in the UAE
- Any firm carrying out the processing of personal data inside or outside the UAE as a controller or processor
- Any firm located outside the UAE that carries out activities of processing data inside the UAE.
There are certain exceptions to the above, including:
- Government data
- Government authorities that control or process personal data
- Personal data that is held with security and judicial authorities
- Data Subject that processes his/her data for personal purposes
- Health personal data and financial data which is subject to the relevant legislation in the UAE
- Companies and institutions located in the free zones of the UAE such as Dubai International Financial Centre and the Abu Dhabi Global Market, as they have their own data protection laws.
What does it mean to your business?
Businesses have a very limited time to align their business environment and regulatory framework within the new law and extensive preparation will need to be done to review the scope of how data is processed.
What are the expectations of the Law?
Consent Management and Data Subject rights
The PDPL prohibits the processing of personal data without consent of the Data Subject, with the exception of data that is publicly available, or if the processing is necessary. This includes:
- To protect public interest
- To initiate or defend legal proceedings
- For the purpose of occupational or preventive medicine
- To protect public health, e.g. communicable disease or epidemics
- To protect the interests of the Data Subject
- To perform the contract with the Data Subject
- To fulfil obligations imposed by other laws of the UAE.
Conditions that make up valid consent:
- The data Controller must be able to prove the consent of the Data Subject
- The consent must be in given in a clear, simple, unambiguous and easily accessible manner, whether in writing or electronic form
- Consent must indicate the right of the Data Subject to withdraw it and that such withdrawal must be easily made
- The Data Subject may, at any time, withdraw his/her consent to the processing of his/her personal data.
Data Subjects have several rights under PDPL which include the right to:
- Obtain information and access personal data from the data controller
- Request personal data transfer
- Correction or erasure of personal data; right to be forgotten
- Restrict processing of personal data
- Stop processing of personal data. (e.g., if it is intended for the purpose of direct marketing or scientific and statistical research)
- Processing and automated processing.
Controls on data processing:
Personal data should be processed as per the governance controls under PDPL. These governing principles follow most of the international data protection regimes, e.g. General Data Protection Regulation (GDPR).
Processing of personal data:
- Must be fair, transparent, and lawful
- Must be collected for a specific and clear purpose
- Must be sufficient and limited for the purpose
- Must be accurate, correct and updated
- Appropriate measures and procedures to ensure modification
- Must be kept securely by applying technical and organisational measures.
Cross-border personal data transfer and sharing for processing purposes based on the level of protection.
Personal data may be transferred outside UAE, if the country or territory to which personal data is transferred has equivalent legislation similar to UAE PDPL or if the UAE has a bilateral or multilateral agreement in place for personal data protection. Alternatively, if personal data is to be transferred outside the UAE to a jurisdiction that does not have an equivalent legislation to UAE PDPL, then data can only be transferred under a specific contract or agreement which must include certain provisions to do so.
What are the penalties for non-conformity?
Penalties for a breach of PDPL or the executive regulations can be imposed on organisations that do not have the correct measures for data protection in place, although the range of potential penalties is not stipulated at present.
How can Equiom help?
Equiom has a fully qualified team of Data Protection Officers who can guide you through the data protection framework in various jurisdictions across the Middle East.
The team can help you to ensure compliance with the UAE’s ever-changing rules and regulations on data protection and privacy.
Our service offering includes:
- Design and implementation of a data privacy framework
- Data protection advice specific to your organisation
- Data protection training for staff, senior management, or Board
- Outsourced Data Protection Officer (DPO) services
- Review of existing data privacy to ensure compliance with current regulations.
Please email Ioana Georgescu, or call her on +971 4 446 3900, for a more detailed discussion on what your firm will need to do to ensure compliance with Data Protection laws across the UAE.
Data Subject: The natural person who is the subject of the Personal Data.
Personal Data: Any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes Sensitive Personal Data and Biometric Data.
Processing: Any operation or set of operations which is performed on Personal Data using any electronic means, including Processing and other means. This process includes collection, storage, recording, organization, adaptation, alteration, circulation, modification, retrieval, exchange, sharing, use, or classification or disclosure of Personal Data.
Controller: An establishment or natural person who has Personal Data and who, given the nature of his/her activity, specifies the method, criteria and purpose of Processing such Personal Data, whether individually or jointly with other persons or establishments.
Processor: An establishment or natural person who processes Personal Data on behalf of the Controller, as directed and instructed by the Controller.
This article has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. The article cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact Equiom to discuss these matters in the context of your particular circumstance. Equiom Group, its partners, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this article or for any decision based on it.
For information on the regulatory status of our companies, please visit www.equiomgroup.com/regulatory