The UAE has recently released the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL") with an effective date of 2 January 2022.
The PDPL has extra-territorial scope, applying to any company established in the UAE and processing personal data overseas, or a company established outside of the UAE and processing personal data inside the UAE. The PDPL does not apply to government entities and government data, nor personal data which is already regulated by the Abu Dhabi Global Market (ADGM) or Dubai International Financial Centre (DIFC) data protection laws, or pursuant to special legislation (e.g. personal health data and banking and credit personal data).
Data processing controls
The PDPL provides a list of controls that govern how personal data shall be processed. These controls are similar to the data protection principles set out in other data protection regimes, for example the GDPR in the European Union (EU). The processing of personal data must be fair, transparent and lawful, and for a specific and clear purpose. Personal data must be accurate, correct and limited to the purpose for which the processing is required. Moreover, technical and organisational measures should be in place to correct or erase incorrect personal data, whilst keeping the data secure and protected from any breach or unauthorised processing. In addition, personal data must not be retained after the purpose of processing has been fulfilled, unless it is anonymised.
Consent and data subject rights
The PDPL prohibits the processing of personal data without the consent of the data subject unless certain specific exclusions apply. The requirements for valid consent are that: (i) the data controller must be able to prove consent; (ii) which is given in a clear, simple and accessible manner, either electronically or in writing; and (iii) the data subject must also be made aware that they can withdraw their consent at any time.
Under the PDPL, data subjects will have a number of rights including rights: (i) to access their personal data from a controller; (ii) to request the transfer of their personal data; (iii) to restrict the processing of personal data in certain cases; (iv) to have their personal data corrected or erased (i.e. the right to be forgotten); (v) to object to certain types of data processing (for example, if it is intended for the purpose of direct marketing or scientific and statistical research); and (vi) to object to automated processing.
The processor can transfer the personal data outside the UAE where the Data Office has approved a country or territory as having specialised personal data protection legislation in-line with the UAE, or an adequate level of protection regarding the data subjects and their ability to exercise their rights. In cases where there is not an adequate level of protection, the processor or controller may transfer the personal data outside the UAE provided that the transfer of personal data is governed by an agreement, which provides an adequate level of protection concerning the most important provisions of privacy and confidentiality protection. The processor or controller can also transfer personal data outside of the UAE with the data subjects' consent to a jurisdiction which has no personal data protection legislation, or if it is in the interest of the public or judicial authorities.
The provisions for penalties will be further clarified with the Executive Regulations, which are due to be released in March 2022.
Next steps for your business
Companies in the UAE will now need to audit their activities, processes and internal frameworks in order to develop a compliance program which reflects the standards put forward by the new Data Office. Of course, this is a welcome change which will significantly impact the way companies do business in the region, increase confidence for global companies looking to do business here, and support a number of large scale digital transformation projects in both the public and private sectors. We also expect that many of our clients doing business across the GCC will need to look closely at the different data protection frameworks of each jurisdiction, which are rapidly evolving and may require specific considerations in how they differ, especially in respect of data transfers across borders – this is especially true for our e-commerce, FinTech and retail clients.
Please reach out to a member of our Technology and Data Protection team in Dubai for further information or if you require any advice/assistance with these matters.