• GL
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK

UAE's Protection of Personal Data Law

08 February 2022

The United Arab Emirates ("UAE") enacted the Federal Decree – Law No. 45/2021 on the Protection of Personal Data (the "Law") on September 20, 2021.

Aim of the Regulation

The Law governs the processing and control of personal data. It covers three broad categories of people:

  1. any natural person residing in the UAE whose personal data is being processed or controlled;
  2. any person (whether natural or legal) located in the UAE controlling or processing the personal data of any natural person; and
  3. any person (whether natural or legal) located outside the UAE controlling or processing the data of people within the UAE.

Key features

Data Subject

The Law defines the data subject as any natural person whose personal data is being processed or controlled.  In accordance with the Law, such a person has the right to know (amongst other things): (i) what type of their personal data is being processed; (ii) the purpose of processing their personal data; (iii) what measures and protections are in place for their personal data; and (iv) what are the standards for storing their personal data.

Personal Data Processing Controls

The Law sets out certain controls relating to the processing of data. The data must be processed in a fair, transparent, and lawful manner and in accordance with the instructions of the Controller. It must be processed for a specific and clear purpose and for an established period of time. Also, the personal data being processed must be accurate and correct and if that is not the case, there must be appropriate measures in place to allow for the erasure or correction of the incorrect data.

The burden of protecting the personal data lies on the processor. The processor must protect the personal data from any breach, infringement, illegal or unauthorised processing.  Any failure to maintain and install appropriate measures to protect personal data may result in penalties for violations. The UAE Cabinet will outline such penalties in due course.

Consenting to Data Protection

A data subject under the Law must provide consent for the collating, use and storing of their personal information. For the consent to be sufficient, the controller must be able to prove that it has the clear and unambiguous consent of the data subject. Furthermore, at the time of requesting the consent it must be made sufficiently clear that the consent provided can easily be revoked at any time.

There are certain instances where personal data may be processed, without the consent of the data subject. These include where it is: (i) necessary to protect the public interest or public health; (ii) important for the provision of medical care; or (iii) important to fulfil obligations imposed by other laws on the controller of such data.

Personal Data Breach

In the event a controller discovers a breach, it must promptly report to the UAE Data Office the nature, form and causes of the infringement; the measures taken or proposed to be taken to address the infringement or breach and any other information so required by the data office. Other than the data office, the controller is also required to notify the data subject that the infringement or breach may prejudice their confidentiality, privacy and security.

If a processor becomes aware of a breach, it must promptly inform the controller so that the above procedure can be complied with.

Obligations of Controllers and Processors

The controller and processor have a number of obligations to the data subject. Some of them include:

  1. ensuring that there are appropriate measures in place to protect the personal data, at all stages;
  2. maintaining a clear record of who has access to the personal data. This record should highlight how long access was granted and (if applicable) any cross-border processing of the data.
  3. erasing all data after the processing period expires.

Data Protection Officer

The law provides for three scenarios under which a data protection officer must be appointed:

  1. if there is a high-level risk to confidentiality of the personal data by adopting new or associated technologies with the amount of data;
  2. if the processing will involve systematic and comprehensive assessment of sensitive personal data; or
  3. processing of large amounts of sensitive personal data.

The data protection officer is responsible for ensuring compliance by the controller and processor with the provisions of the Law.  The officer also acts as a point of contact for requests of complaints pertaining to personal data, and advises on the results of periodic evaluations and examinations of protection systems and intrusion prevention systems put in place by the controller.

Cross Border Personal Data Transfer

Personal data may be transferred to a territory outside of the UAE, subject to approval by the data office. Before granting such approval, the data office in the UAE will look at the protection awarded to personal data as well as the rights of the data subject in the specific territory where the personal data is to be transferred.  The data office will also look at whether the UAE has acceded to any agreements related to the protection of personal data with the territory where the data is being transferred.

Notwithstanding the above, data can be transferred to countries that do not have any personal data protection laws. The standard applied in these cases is that, the data should receive the same protection as it would if it was being processed in the UAE.

Additionally, data can also be transferred out of the state with the express consent of the data subject, if the transfer is necessary to fulfil obligations and establish, exercise or defend rights before judicial authorities, and if the transfer is necessary to protect the public interest.

Matters falling outside the scope of this Law

The Law does not apply to various categories of data or entities that hold personal data such as: (i) government data; (ii) government authorities that control or process data; (iii) any data held with security and judicial authorities; (iv) people who process their own data for personal purposes; (v) health data; (vi) banking and credit data; and (vii) data held by free zone companies and institutions (as these entities are subject to personal data protection legislation implemented by the relevant free zone).

Next Steps

Companies and natural persons that are involved in the controlling or processing of personal data should adhere to the obligations and standards outlined therein.

In light of the General Data Protection Regulation, in Europe, and a global move to better protect personal data online, it is important that parties affected by this legislation take all the necessary steps to remain compliant.

This Client Alert provides a very brief summary of a law. It does not constitute legal advice and should not be used as a substitute for competent legal advice from counsel.

Further Reading