Federal Decree No. 45 of 2021, pertaining to data protection laws in the UAE, was enacted on September 20, 2021. The law officially became effective on January 2, 2022. It is stipulated that the Implementing Regulations, complementary to the law, must be promulgated within six months of the law's enactment, specifically by March 20, 2022.
Within six months of the enactment of these regulations, UAE businesses are obligated to adhere to the law. Similar to numerous laws in the UAE, the Bylaws furnish supplementary details elucidating the provisions of the law. They serve to aid UAE businesses in comprehending their compliance obligations under this legislation.
The primary objective of the law is to harmonize UAE federal law with internationally recognized privacy principles. Individuals acquainted with these principles will find the law's emphasis on transparency and accountability consistent with global best practices. Key features of the law include the introduction of data subject rights, data breach protocols, data protection impact assessments, stipulations for data transfer, as well as requirements for notification and record-keeping.
Simultaneously with the law, United Arab Emirates Decree No. 44 of 2021 was issued on September 20, 2021. This decree was established to align with the UAE data protection laws, ensuring compliance with the stipulations of the law.
What do You need to Know about UAE Data Protection Laws?
When does the law apply?
The data protection laws in the UAE are applicable to both controllers and processors. A controller, whether a natural person or a legal entity, is the individual or entity responsible for deciding the methods and rationale for processing personal data and determining the purposes of such processing. The processor, in turn, handles personal data on behalf of the controller and follows the instructions provided by the controller during the processing activities.
Personal data encompasses all information pertaining to or associated with a natural person that can be directly or indirectly used to identify them by connecting the data. Such information may include, but is not limited to, one or more of the following: name, voice, image, identification number, electronic identifier, geographic location, or physical, physiological, economic, cultural, or social characteristics of the individual. This broad definition also covers sensitive personal information.
Sensitive personal data, whether disclosed directly or indirectly, involves an individual's family or ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data, and health-related information.
This law is applicable to all personal data processing activities carried out by controllers and processors in the UAE, irrespective of whether the processing involves data subjects within the UAE or abroad. It encompasses personal data of data subjects residing or working in the UAE.
Additionally, these regulations extend to controllers and processors situated outside the UAE who engage in the processing of personal data belonging to UAE data subjects. This reflects an extraterritorial aspect akin to the General Data Protection Regulation (GDPR).
The UAE data protection laws incorporate materiality thresholds concerning the processing of personal data. This provision enables data bureaus to exempt UAE companies that do not engage in substantial processing of personal data. Details regarding these thresholds are specified in the Implementing Regulations.
When do UAE data protection laws not apply?
UAE data protection laws do not apply to personal data processed by government data, government agencies that control or process personal data, or security and law enforcement authorities. However, state-owned enterprises appear to be subject to the law.
UAE data protection laws do not apply to personal health data or information, or personal banking or credit data or information, although different laws apply to such personal data and information. This law also does not apply to UAE free zones such as Dubai International Financial Center and Abu Dhabi Global Market, which have their own data protection laws. Finally, the law does not apply to the use of personal data by data subjects for personal purposes.
What are the main principles of UAE data protection laws?
UAE data protection laws speak of “control” over the processing of personal data. This includes Processing in a fair, transparent, and lawful manner. collect personal data only for specific and explicit purposes; only process personal data necessary for the specified purposes (or for purposes similar or closely related to the specified purposes); keep personal data accurate and correct or delete inaccurate personal data; Protection of personal data; we only retain personal information for as long as necessary for the specific purpose and then delete or anonymize it. All of these principles are consistent with those adopted by global
What is the legal basis for processing personal data under UAE data protection laws?
Personal data can only be processed with the consent of the data subject, except in certain limited circumstances. These necessary situations include Processing necessary for the performance of a contract with a data subject or for the conclusion, modification, or termination of such a contract. If the data subject makes the personal data public. To protect the interests of data subjects.
Where the processing is necessary for the establishment of legal claims or as part of judicial or security proceedings. Where the processing is necessary for specific medical purposes or public health issues (in accordance with relevant law); for archival purposes or scientific, historical, and statistical research (in accordance with relevant law); and/or to fulfill our obligations and to controllers or data subjects exercising their employment/social protection rights.
The legal basis for processing that is not included is where the processing is necessary for the legitimate interests of the controller (or a third party). This is common ground provided by global data protection laws.
How should consent to the processing of personal data be handled?
The controller must be able to establish the consent of the data subject where consent is used as the legal basis for the processing of the data subject’s personal data. Hmm. Consent should be clear, simple, clear, and easily accessible. Consent should take the form of a statement or clear affirmative action and can be given in writing or electronically.
The consent language should include the data subject’s right to withdraw consent, and such withdrawal should be easy. Affected persons may withdraw their consent at any time. Such revocation shall not affect the lawfulness and lawfulness of any processing based on consent given prior to revocation.