Overview of the Data Protection Law in UAE

By Anna Lewis
  • March 1, 2024
  • 7 min read

The data protection law UAE is a law that seeks to control the security regarding the processing of personal data. Likewise, this law is aligned with international standards that protect the confidential data of the people. Furthermore, the law seeks to alleviate concerns among people regarding the protection of information in the UAE.


In this article, you will learn what this law is about and how it can benefit you in terms of security. Also, what are the most important aspects of this important law in the UAE?



What is the Data Protection Law in the UAE?


This data protection law UAE (PDPL) is created to guarantee the privacy of the data of the interested parties. Similarly, it is based on the law stipulated in the Decree of Federal Law No. 45 of the year 2021. This law has been in force since January 2, 2022, and the regulations were published in the subsequent 6 months.


Furthermore, with this law, the United Arab Emirates is aligned with the established global principles for data protection. Likewise, she is familiar with concepts such as accountability and transparency. In addition, the law includes obligations regarding data breaches and evidence of the impact on data security.


Regardless, it has requirements for the transfers, notification, and maintenance of personal records. Additionally, the Emirates Data Office will be the authority that will regulate data protection by applying the new law.



Principles of the Data Protection Law


The UAE data protection law presents several important principles to consider as you will see below:


Single Data Authority


As we mentioned, the Data Office will be in charge of verifying PDPL compliance according to Federal Law Decree No. 44. However, upon beginning its operation, the TDRA will be the entity that will provide support, both logistical and administrative. Likewise, the Data Office must comply with certain powers, responsibilities, and duties as contemplated below:


  • ·      Regarding the supervision of the law and its application, this entity must prepare and propose policies as well as appropriate legislation and strategies.
  • ·      Make the required inquiries to guarantee the efficient application of the law for data protection.
  • ·      In addition, they are in charge of receiving complaints regarding data protection and verification with the corresponding organizations.
  • ·      The Data Office has a general director who supervises the daily functions of this entity.



Right for Consent


With the application of the data protection law UAE; you will be assured that your data cannot be processed without your consent. However, there are meanings such as in the case of a contract with which some obligations must be fulfilled, or the protection of some public interest, among others. Nevertheless, the Law does not contemplate the process based on the legitimate interests of a controller.


Incentivizing SMEs


The PDPL is a law that can benefit Small and Medium Enterprises in various aspects. Therefore, we offer you a summary of how this law helps to encourage these types of companies:


  • ·      Enables compliance with safety laws
  • ·      This way customers have more confidence in your business
  • ·      Allows you to develop effective data processing strategies and practices
  • ·      Minimizes the cost and risk of personal data breaches
  • ·      Helps you stay up to date with technologies


Allows Cross Border Data Flow


According to the data protection law UAE, the transfer of data to a territory or country outside the Emirates is not permitted. However, there could be an exception if it meets an adequate level of protection for the parties interested in the processing of the data. Furthermore, if this is not the case, there are extensions or derogations with which the transmission of inter-border data can be carried out.


In this case, these could include some aspects contemplated below:


  • ·      Establish protections through the use of appropriate safeguards such as the use of clauses.
  • ·      If you have given consent for the transfer and it does not interfere with any Emirati public or security interest.


Likewise, the Executive Regulation will include information on cross-border transfers. In addition, it will include a list of places that have adequate levels of protection.


What authorities are responsible for data protection?


There are legal regulations that are responsible for data protection law in Dubai and the rest of the Emirates. Next, you will learn what these authorities are and their responsibilities:


UAE Law

The UAE Law establishes that the Data Office must guarantee data privacy, receive complaints, and provide solutions. Also, you must apply remedies in a case of data privacy or security breach under the data protection law UAE. In addition, the Data Office has the authority to impose any administrative sanction on this issue.


DIFC Law

The DIFC or Data Protection Commissioner will be the one who will administer the law and will receive your complaints related to the non-compliance of the agency with the law. Likewise, the entity will be authorized to investigate complaints and issue statements as well as impose the corresponding fines.


ADGM regulation

In the ADGM there is a commissioner who must enforce the guidelines of the regulations of this body. Likewise, it is qualified to receive and resolve complaints or allegations for violation of the ADGM regulations and apply the necessary sanctions.


Types of Protection Data Requirements


The data protection law UAE establishes certain requirements for parties that control user data. Next, we will show you the details of each of these requirements according to the standards:


Consent Requirements


Controllers must obtain the consent of the interested party as a legal basis for processing the data of the interested party. Similarly, consent must be simple, clear, and accessible and must be delivered through an affirmative action or statement. In this case, you can do it in writing or electronically.


Equally, consent must include a right to withdraw consent, which must be done simply. In addition, you may withdraw consent if you wish, which will not affect the consent given before withdrawal.


Privacy Notice Requirement


The Dubai data protection law and the nation in general, establish certain standards that data controllers must comply with. In this case, before beginning the processing of the data, you must inform the interested party of the following:


  • ·      The purpose of data processing
  • ·      The entities or sectors, both in the country and abroad, with which they will share the information
  • ·      The guarantees offered by the controller about processing outside the UAE


In the same way, you must inform the interested party, when requested, the following information according to article 13 of the PDPL:


  • ·      The specific personal data that will receive the treatment
  • ·      Decisions regarding the automation of treatments
  • ·      Data storage and conservation rules
  • ·      What measures will they take in the event of a data security breach?


Security Requirements


The data protection law UAE states that controllers and processors must develop safety procedures. In addition, they must take the necessary measures adjusted to outstanding international standards and practices. Therefore, they must ensure a high level of security, in proportion to the risks and costs involved in the process.


In this sense, said law establishes two security measures, which must be tested and evaluated and include:


  • ·      The Pseudonymization of Encryption. It is the processing of data that cannot be associated with the interested party without using additional information. Furthermore, said information must be separated and secured so that it cannot be associated with the identified or identifiable natural person.
  • ·      Anonymization.​ In this case, it is about deleting or modifying data so that it cannot be associated with any person.


Data Breach Requirements


Controllers who become aware of a data breach must immediately notify the Data Office. Thus, the violation has to do with actions that compromise the confidentiality, privacy, and security of the data. Additionally, article 9 of the PDPL requires that the notification include the following details:


  • ·      The type, reasons, approximate number, and record of security violations.
  • ·      Descriptions of possible consequences.
  • ·      The detailed actions by the data controller to correct the violation.


Data Protection Officer Requirement


UAE data protection law determines that certain organizations must appoint a Data Protection Officer (DPO). In this way, they guarantee compliance; and provide advice, in addition to being in direct contact with the Data Office. Additionally, the DPO, who must be appointed by the controller and the processor, must have the knowledge and skills for this process.


It is about having the necessary skills when there are significant risks to data privacy. For example, these may be risks associated with the adoption of new technologies or the volume of data. Likewise, a Data Protection Officer is necessary in the following cases:


  • ·      Automated (or scale-based) processing of data that may create a high risk of confidentiality and privacy.
  • ·      For the systematic and absolute evaluation of sensitive data, such as profiling and automated processing.
  • ·      Large-scale sensitive data processing.


Additionally, a DPO may be outside the country and must follow the guidelines mentioned in the law. Additionally, other executive regulations will help determine high-risk processing and the need for a delegate.


Third Party Processing Requirements


The data protection law UAE requires that third parties or providers to whom data is transferred comply with appropriate security. That is, data processors must offer the security necessary to comply with the PDPL. Thus, if the organization to which you send the data for processing violates the requirements, you are responsible for it.


Therefore, organizations that work with a service provider must ensure that they establish necessary clauses for security. In addition, said clauses must comply with the other requirements of the PDPL and other applicable laws.


Cross Border Data Transfer Requirements


The process of data protection law also applies to the transfer of data under certain circumstances. In this way, the law applies in the cases that we will describe below:


  • ·      Data controllers or processors located in the UAE who carry out data processing for subjects outside the country.
  • ·      Controllers or processors outside the UAE carrying out processing for subjects within the nation.
  • ·      The law in the DIFC applies to controllers or processors that process data in the said Center regardless of the place of incorporation.
  • ·      The ADGM regulations apply to activities carried out by controllers or processors established there, regardless of whether they are not carried out in the ADGM.


Role of Data Protection Officer in UAE


The Data Protection Delegates will ensure that those responsible for the treatment comply with the following aspects:


  • ·      The provisions of the data protection law UAE.
  • ·      The implementing regulations.
  • ·      The instructions issued by the Data Office.


Furthermore, the law establishes in Article 11(1) that the functions and tasks of a DPO are the following:


  • ·      Check that those responsible for data processing implement effective measures for correct and secure processing.
  • ·      Receive requests from interested parties under the law and the Executive Regulations.
  • ·      Guide the evaluation of established measures.
  • ·      Periodically evaluate and adequately document the measures implemented.
  • ·      Advice regarding these measures.
  • ·      Be the liaison point between those responsible for the treatment and the Data Office.
  • ·      Other functions described in the Dubai data protection law Executive Regulations


Likewise, the Data Protection Officer must maintain the confidentiality of personal data according to Article 11(2). Also, interested parties can establish direct contact with the DPO to claim their rights regarding their data. Controllers and processors must have the necessary resources so that the DPO can perform its functions properly according to the following requirements:


  • ·      They must include the DPO in all matters related to the protection of personal data.
  • ·      They must receive the resources and support they need.
  • ·      DPOs cannot perform functions that generate a conflict of interest.
  • ·      They cannot receive sanctions for carrying out their duties as long as they are within the law.


Restrictions on International Data Transfers


The Data Office allows the transfer of data to other countries with the appropriate level of protection. Therefore, the data protection law UAE allows this procedure towards countries with special data protection legislation. Similarly, it allows the transfer of data if there is a bilateral or multilateral agreement related to the said protection.


The law also allows several transfer options for countries that do not comply with the Data Bureau guidelines. In this case, the rules for transferring personal data to other countries without approval include:


  • ·      Allows transfer under contracts aligned with the clauses of the PDPL.
  • ·      Ensuring the consent of the interested party for said transfer, this must not have conflicts with the security and interest of the country.
  • ·      When the transaction is decisive for the execution of a contract between the controller and the subject.
  • ·      As part of a contract between the controller and a third party in which the controller has an interest.
  • ·      When the transfer is important for international judicial cooperation or to protect the public interest.




Final Thoughts


The data protection law UAE guarantees individuals the protection of their data and sensitive information by regulating its handling. Therefore, controllers, processors, and interested parties must know and comply with the regulations. In any case, if you need information or legal advice on this and other issues, we will help you just by contacting us.

Overview of the Data Protection Law in UAE.jpg

Connect with lawyers & seek expert legal advice

Check out how we can offer this service to you.

All Posts
GOT A LEGAL QUESTION?

Post a question for free on our Legal Forum