Key points on the new UAE Data Protection Law
On the 2nd of January this year, the United Arab Emirates (UAE) issued its first data protection law, which was adopted by the Federal Decree Law 45/2021 on Protection of Personal Data (the Law) alongside establishing the UAE Data Office by virtue of Federal Decree Law 44/2021.
Initially, the Executive Regulations, which will expand on key topics of the Law, was expected to be published in March 2022. However pursuant to Article 28 of the Law, it is now expected to be published within 6 months of the Law coming into effect, approximately between May and June 2022.
Pursuant to Article 29 of the Law, companies will have 6 months from the date the Executive Regulations are issued to achieve compliance with the new law.
The new data protection law emphasises the following topics:
- Data subject rights
- Data breach requirements
- Data protection impact assessments
- Data transfer requirements
- Notification and record keeping requirements
What are the key definitions of the new Data Protection Law?
This is any data relating to a natural person, or a natural person who can be identified directly or indirectly by linking data.
It covers, without limitation, name, voice, picture, identification number, electronic identifier, geographical location, or one or more of the natural person’s physical, physiological, economic, cultural or social characteristics. It also includes sensitive personal data.
Sensitive Personal Data
This covers data that directly or indirectly reveals the family or ethnic (racial) origin of a natural person, political or philosophical opinions, religious beliefs, criminal record, biometric data and any data relating to a natural person’s health.
This is a natural person who is the subject of personal data.
An establishment or natural person who has personal data and who specifies the method, criteria and purpose of processing such personal data.
An establishment or natural person who processes personal data on behalf of the controller, as directed and instructed by the controller.
Any operation or set of operations which is performed on personal data. This includes collecting, storing, modifying, sharing, disclosing, and destroying of personal data.
Who does the Data Protection Law apply to?
The Law applies to:
- Data subjects who reside in or who work in the UAE
- Every controellr and processor located in the UAE, irrespective of whether their processing of personal data takes place inside or outside of the UAE
- Controllers and processors located outside the UAE that process the personal data of UAE data subjects (extra-territorial element)
It does not apply to the following:
- Government data
- Government authorities
- Personal data held by security or judicial authorities
- Individuals who process their data for the personal purposes
- Personal health data that is subject to separate legislation
- Personal banking and credit that is subject to separate legislation
- Companies in UAE free zones that are subject to their own personal data related legislation
There is a materiality threshold in the new law in relation to the processing of personal data, with the Data Office having the ability to exempt UAE companies that do not process large volumes of personal data. This will be defined in the Executive Regulations.
What are the key principles and requirements?
- Processing must occur in a fair, transparent and lawful manner.
- Only collect personal data for a specific and clear purpose.
- Only process necessary personal data based on the specific purpose, or for purposes similar or close to the specific purpose.
- Keep personal data accurate, with correcting or deleting inaccurate personal data when required.
- Keep personal data secure.
- Only keep personal data for as long as required based on the specific purpose, and when it is no longer required, delete or anonymise it.
What are the lawful bases for processing personal data?
Personal data can only be processed with the consent of the data subject except in certain limited circumstances.
The consent must be specific, clear and unambiguous. It must be made through a statement or clear affirmative action, such as in writing or electronically (e.g. tick the box). The consent wording should include the right for the data subject to withdraw from the consent at any time.
The exemptions to the general rule described above include the following circumstances:
- To perform a contract to which the data subject is a party, or to take measures at the request of the data subject with the aim of concluding, amending or terminating a contract.
- To implement specific obligations in other laws applicable where the controller is located.
- Where the data subject has made the personal data public.
- To protect the interests of the data subject.
- Where processing is necessary for claiming legal rights or as part of judicial or security procedures,
- Where processing is necessary for certain medical purposes or matters of public health.
- For archival purposes, or for scientific, historical and statistical studies (in accordance with relevant legislation).
- For a controller or data subject meeting obligations and exercising employment/social protection rights.
There is no obvious exception to the requirement of the data subject’s consent that would apply to the use of personal data for marketing purposes. Organisations may only use such data for marketing purposes with the consent of the data subject. It is required to incorporate opt-out mechanisms to allow data subjects to withdraw their consent or object to receiving marketing communications.
What are the obligations of the Controller and Processor?
- Put in place appropriate technical and organisational measures and procedures to protect the personal data in accordance the Law.
- Maintain a record of processing that is available for inspection by the Data Office on request.
- Only appoint processors who can provide sufficient guarantees regarding the implementation of technical and organisational measures to ensure the processing satisfies all requirements and restrictions.
A controller must, before processing a data subject’s personal data, provide the data subject with the purposes for the personal data processing, and any third parties that the personal data will be shared with.
- Must only process personal data in accordance with the controller’s instructions and based on any agreements signed between the controller and the processor.
- Must apply appropriate technical and organisational measures to protect personal data and secure the processing process (including any devices used for the processing).
- Maintain a special record of the personal data processed on behalf of a controller.
- Ensure that processing is in accordance with the specified purpose and processing period, notifying the Controller if the processing exceeds this period.
What are the rights of the data subject?
- The right to obtain certain information on request.
- The right to access personal data.
- The right to receive a copy of personal data in a machine-readable format, and to request for it to be transferred to another controller (data portability).
- The right to restrict personal data processing.
- The right to ask for their personal data to be corrected and deleted in certain circumstances, such as where they have withdrawn their consent to processing or the personal data is no longer required for the specified purpose.
- The right to submit a complaint with the UAE Data Office.
What is the Data Office?
The Data Office aims to ensure the fullest protection of personal data.
It is responsible for a range of tasks which include:
- Preparing legislation and policies relating to data protection
- Proposing and approving systems for complaints and grievances
- Proposing standards for the monitoring of the data protection legislation
- Issuing guidance for the full implementation of data protection legislation
- Imposing administrative penalties
What is Cross Border Personal Data Transfers?
The new law allows for the transfer of personal data to countries approved by the Data Office as having an “adequate level of protection”. The Executive Regulations will include details of the approved countries.
For countries not approved by the Data Office as having an adequate level of protection, the Law provides various options to enable the transfer of personal data:
- Transferring personal data under a contract that applies the requirements of the Law
- Securing the data subject’s express consent to such transfer (where such consent does not conflict with public and security interests of the UAE)
- Transferring personal data if it is necessary for the execution of a contract between the controller and the data subject, for international judicial cooperation, or to protect the public interest.
Is it mandatory to appoint a Data Protection Officer?
It is only mandatory for a controller or the processor to appoint a data protection officer (DPO) for the processing of personal data if:
- It is likely to involve a high level of risk to the confidentiality and privacy of the personal data of the individual due to the use of new technologies or because of the amount of data involved
- Will involve a systematic and comprehensive assessment of sensitive personal data
- Will be undertaken on a large amount of sensitive personal data
The Executive Regulations will provide more specifics to assist in determining whether ”high risk” processing is occurring and a DPO is, as a result, required. A DPO can be located outside the UAE.
What are data protection impact assessments?
Controllers are required to assess any proposed processing operations where the use of technologies could pose a high risk to the privacy of personal data.
Assessments will be required where processing covers automated processing, including profiling, or involves a large volume of sensitive personal data.
The DPO role will be important for the management of these assessments. The Data Office will be releasing details of those processing operations that will not require assessments.
Can you report a personal data breach?
Controllers must, on becoming aware of any personal data breach that would “prejudice the privacy, confidentiality and security of a data subject’s personal data”, inform the Data Office of the breach.
The Law sets out details to be included in any notification, with the Executive Regulations adding further details, including any reporting period. The following is required in the report:
- Details of the breach and potential consequences
- The name of the appointed DPO (if any)
- A description of any mitigations and corrective procedures undertaken to remedy the breach and its effects
The processor must inform the controller immediately of a breach so that they are able to inform the relevant parties within the stipulated timeframes.
How can PRO Partner Group help?
PRO Partner Group are the experts in PRO and HR services and assisting in documentation management for clients and their staff. Our professional team of government liaison staff, PROs and operations team can assist you to review your documentation flow, together with your HR, labour and immigration provisions to ensure that you are able to run your business in the most efficient manner.
If you need guidance in complying with the new Data Protection Law or any other related company setup, restructuring, local partner or PRO support matter in Abu Dhabi, Dubai, the wider UAE, Oman, Qatar or Saudi Arabia, then please do get in touch with us on +971 (0)4 456 1761 for Dubai or +971 (0)2 448 5120 for Abu Dhabi, or email us at email@example.com or complete the contact form below and we will be delighted to assist you.