The UAE issued Federal Decree Law No. 45 of 2021 Concerning the Protection of Personal Data (the “Law” or “DP Law”).  Provisions of the DP Law apply to all entities based in the UAE that process Personal Data of subjects inside as well as outside the UAE. The Law further applies to entities that are based outside the UAE but process Personal Data of subjects present in the UAE. These entities could be Data Processors, or Controllers (defined below). However, the Law won’t be applicable to certain entities such as government related entities, and entities operating in health and banking sectors for which there are sector-specific laws.

Executive Regulations under the Law are yet to be issued, which will bring greater clarity with respect to the requirements to be met by the concerned parties. Enforcement of the DP Law will begin six months from the issuance of the Executive Regulations.

There are several stakeholders under the DP Law. They are:

• Data Subjects: persons who are subject to processing of Personal Data;
• Controllers: entities which deal with Personal Data. An entity has control over the method and criteria, as well as the purpose for processing the same;
• Processor: entities which process Personal Data on behalf of the Controller under its directions and instructions;
• Data Protection Officer (“DPO”): to be appointed by a Controller or Processor for the purposes of compliance with this Law;
• UAE Data Office (“Data Office”): to be formed under Federal Decree-Law No. 44 of 2021, enacted alongside the DP Law. The Data Office’s purpose is to ensure protection of Personal Data under the Law as the authority.

Data Processing Controls under the Law

Personal Data is defined as any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data, through the use of identification elements. It includes Sensitive Personal Data (relating to any data revealing a person's family, ethnicity, beliefs, criminal record, health, or other sensitive personal information) and Biometric Data (relating to data derived from technology that identifies or confirms a person's unique characteristics, such as facial images or fingerprints) (“Personal Data”).

The Law aims to control processing of Personal Data in a fair, transparent, and a lawful manner, and collecting it for its specific intended person, with the consent of the Data Subject. It is required that the Personal Data collected be accurate and correct, be kept securely and either be deleted or disassociated from the Data Subject (by measures such as ‘pseudonymising’ or ‘anonymizing’ the data) upon completion of its purpose.

Requirement of Consent from the Data Subject for Data Processing

It is imperative that all Personal Data be collected and processed only with the consent of the concerned Data Subject, except in certain circumstances. These exceptions include: where such Personal Data has been made public by the Data Subject; where it is necessary for exercising legal rights or carrying out contractual rights; for archival purposes, and to protect public interests.

The Data Subject’s consent to processing of Personal Data must be able to be proved by the Controller. Such a consent must be obtained in a clear, simple and easily accessible manner. Further, it shall account for the Data Subject’s right to withdraw their consent easily.

Controller and Processor’s Obligations

Entities processing Personal Data must abide by obligation laid down under the Law.

Controller’s Obligations

• Implementation of technical and organizational measures to safeguard Personal Data and preserve its confidentiality and privacy.
• Comply with the provisions and the data processing controls under the DP Law.
• Implementation of technical and organizational measures with respect to automated operations.
• Maintain a special record for the data collected with relevant details under the DP Law.
• Appoint a Processor with sufficient guarantees to implement technical and organizational measures.

Processor’s Obligations

• Process Personal Data only as per the direction and instructions of the Controller and pursuant to any agreements between them.
• Implementation of technical and organizational measures to protect Personal Data at the design stage.
• Process data only in accordance with the purpose and specified period, and erase/ handover data after such period’s expiry.
• Protect and secure data processing and media/devices used for such processing.
• Maintain a special record of Personal Data processed on behalf of the Controller with relevant details under the DP Law
• Prove its commitment to the implementation of provisions of the DP Law.

Data Breach: A data breach under the Law refers to any unauthorized or unlawful access causing destruction, modification, or disclosure of Personal Data to third parties. This definition covers events such as hacking, loss of data, unauthorized sharing of data, and other such instances.

Any breach of Personal Data must be reported by the Controller when it becomes aware of such an occurrence to the UAE Data Office along with details of the breach. It shall also be reported to the Data Subject along with the measures taken by the Controller in effect of such breach. If the Processor becomes aware of breach of data, it shall report the same to the Controller which will further fulfill their obligations.

Data Subject’s Rights

The Law provides a Data Subject with certain rights with respect to processing of its Personal Data by a Processor or Controller. These rights are:

• Right to Receive Information: includes information regarding types of data being processed and purpose for collecting the same; procedures for erasure and deletion of data; and sectors or establishments with whom data would be shared.
• Right to Request Transfer of Personal Data: the Data Subject shall receive their Personal Data with the Controller if requested, or may request to transfer such data to another Controller.
• Right to correction or erasure of Personal Data: the Data Subject can request for correction of their Personal Data or request for erasure of such data held by the Controller.
• Right to Restrict Processing: right to oblige the Controller to restrict and stop processing Personal Data.
• Right to Stop Processing: right to object to and stop processing of Personal Data if processing is used for purposes of marketing, surveying, or is in violation of Data Controls under the PDP Law.
• Right to Objection of Automated Processing: right to object to decisions resulting from automated processing of Personal Data, including profiling.

Role of the Data Protection Officer and Impact Assessment Compliance

Controllers and Processors need to appoint a Data Protection Officer (“DPO”) if they process Personal Data on a large scale, where the processing of data would cause a high-level risk to the confidentiality and privacy of such data and the Data Subject, or which involves sensitive personal data related activities such as profiling and automated processing.

The above conditions also warrant a data protection impact assessment (“DPIA”) under the DP Law. The DPIA shall contain, amongst other things, an assessment of:

• A detailed description of the processing activity and its intended purpose(s);
• An evaluation of the necessity of the processing in relation to its objectives;
• An analysis of the potential risks to the protection of personal data of individuals and its confidentiality;
• Proposed measures to reduce the potential risks associated with the processing activities.

Additionally, data controllers are required to regularly reassess the results of DPIAs to ensure that processing activities continue to align with the assessment, especially if there is a change in the level of risk.

The DPO shall ensure compliance of the Controller or the Processor with provisions and regulations of the Law, and provide technical expertise regarding the relevant subject matter. It shall also deal with requests and complaints relating to Personal Data and act as a link between the Controller or the Processor, and the Data Office.

Cross-Border Transfer of Personal Data

The DP Law also provides for circumstances where Personal Data would be subject to transfer to another jurisdiction.

Personal Data can be transferred to another jurisdiction provided that the jurisdiction has adequate legislations addressing proper protection of Personal Data. The UAE Data Office would determine such jurisdictions. The foreign jurisdiction shall also have a judicial or regulatory authority imposing measures under the respective local data protection law.

For transferring of Personal Data to jurisdictions without adequate legislations or where proper protection is not available, Personal Data may be transferred provided that the parties involved in such a transfer do so under a contract or agreement obligating them to adopt measures and requirements as set out under the DP Law. There are other instances in which data may be transferred to jurisdictions without adequate legislations such as when there is explicit consent of the Data Subject, or where there the transfer is necessary to fulfill judicial duties or a contract.

Data Protection in the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM)

The financial free zones in the UAE: the DIFC and ADGM have their own respective legal frameworks on data protection in place and are governed by them. Both the DIFC and ADGM laws are largely in line with provisions of the DP Law.

DIFC

The DIFC has enacted the Data Protection Law (DIFC Law No. 5 of 2020) along with the DIFC Data Protection Regulations (“DIFC DP Law”). The DIFC DP Law is applicable to all entities established within the DIFC as well as any data controller or processor (as defined by the DIFC DP Law), regardless of their place of incorporation, which processes personal data within the DIFC using resources or personnel located there on a regular basis. The above law provides for setting up of the ‘Office of the Commissioner of Data Protection’ as the primary regulatory body for the DIFC DP Law’s purposes. The ‘commissioner’ is responsible for ensuring compliance with the DIFC DP Law and addressing complaints from data subjects.

The DIFC DP Law was amended in 2023. Notably, the amendment added provisions to protect data subjects from processing of their data for purposes relating to marketing, empowering them with the right to restrict such data processing. Further, the amendment brought Artificial Intelligence (“AI”) within the ambit of the DIFC DP Law aiming to regulate the use of AI in a responsible manner.

ADGM

The ADGM has enacted the Data Protection Regulations, 2021 (the “ADGM Regulations”) to govern the protection of personal data in the free zone. The ADGM Regulations are enforced by the ‘Office of Data Protection’ established under the same and run by its appointed commissioner.

The regulations are applicable to all establishments of a controller or a processor (as defined under the ADGM Regulations) in the ADGM, regardless of whether the processing of data takes place in the ADGM and protects all natural persons irrespective of their nationality or place of residence.

The Guidance issued under ADGM Regulations clarify the key factors to consider when determining if data processing is linked to an ADGM establishment and thereby impose its applicability. The ADGM Regulations apply to controllers and processors outside the ADGM if their relationship is “inextricably linked” with an ADGM establishment, and if revenue generated by the ADGM establishment is directly tied to data processing occurring outside the ADGM.

Essentially, the extraterritorial applicability is imposed when there is a substantial and interconnected relationship between the controller and processor based outside the ADGM with an ADGM establishment. Further, for the processing of data taking place outside the ADGM, the processor shall ensure compliance with the ADGM Regulations to the extent possible as well as compliance with the data controller’s home jurisdiction.

Conclusion

It is essential for all entities, whether Data Controllers or Processors, to adhere to the data protection requirements outlined in the DP Law, as well as other laws such as the DIFC DP Law or ADGM Regulations as may be applicable.

Organizations processing personal data of individuals in the UAE must ensure compliance with the applicable regulatory framework by getting their Privacy Policy and other relevant policies, such as Consent Management and Cookie Policies, reviewed and updated in line with the set requirements. These updates should be made promptly, especially in light of the upcoming issuance and enforcement of the Executive Regulation under the DP Law. Moreover, entities should remain proactive in monitoring and maintaining compliance, as data protection laws continue to evolve.