Personal Data Protection in the UAE – get ready to adjust your local operations to international standards

Following several years of discussions about the need for better protection of personal data in the UAE, the UAE government published in November 2021 Federal Law no. 45 of 2021 regarding personal data protection (the DP Law). This landmark piece of legislation is the first federal law in the UAE to regulate the processing of personal data in general and aims to bring the UAE’s standards for personal data protection to a level that meets international best practices and global standards. If you are familiar with the European Union’s General Data Protection Regulation (GDPR) you will find a large number of similarities, but also important differences.

The DP Law came into effect on 2 January 2022. However, its Executive Regulation (the “Regulations”), which is intended under the DP Law to address numerous important details, is outstanding. This should be issued by the end of March 2022 and the DP Law provides that as a data controllers and processors you will have a six month period following the issuance of the Regulation (i.e., to the end of September 2022) to comply with the DP Law and the Regulation.

What kind of data is protected and who does the Law apply to?

The DP Law has an extra-terrestrial reach similar to GDPR. It applies to all your businesses processing personal data in the UAE (even if that personal data is related to a data subject outside of the UAE) and your businesses based outside of the UAE when processing personal data relating to data subjects within the UAE. Personal data under the law is defined as “any data related to a specific natural personal or related to a natural person that can be identified directly or indirectly by linking the data.” This includes:

Personal Data

Any data relating to an identified natural person or relating to a natural person who is directly or indirectly identifiable though data connection, by use of identification elements such as their name, voice, photo, an identification number, an electronic identifier, location data or one or more physical, physiological, economic, cultural, or social characteristics of such person, including:

• Sensitive Personal Data: Natural person’s family, racial origin, political beliefs, philosophical and religious beliefs, criminal records, information concerning health such as physical, psychological, mental, genetic or sexual status.
• Biometric Data: Physical, physiological, or behavioural characteristics, facial images. 

For health, banking, and credit data the existing sector-specific laws and regulations will remain the solely applicable legislation. The processing of any such data shall not fall into the scope of the DP Law.

Also, the DP Law does not apply to:

• entities registered in the UAE financial free zones that have existing data protection and privacy laws, namely the Dubai International Financial Centre and Abu Dhabi Global Market
• governmental authorities that control or process personal data
• interestingly the DP Law also provides for the possibility that some UAE businesses may seek exemptions from certain elements of the DP Law, specifically if your business that do not process large volumes of personal data. However, the details of these exemptions are yet to be set out in the Regulations.

What are the key features of the DP Law?

The key concepts of the DP Law are very similar to the GDPR as well as the data protection legislations issued for DIFC and ADGM already. The DP Law differentiates between data controller and data processors, imposes a number of obligations on any entity processing personal data within the scope of the DP Law, sets out core principles for all processing activities, provides restrictions for cross-border processing of personal data, and grants the individuals who are protected under the DP Law (the Data Subjects) several rights. 

Core principles

The DP Law includes (although in less detail than the GDPR and not in entirely the same way) the same 7 core principles, for personal data processing to be:

• lawful, fair and transparent
• limited to the purpose for which the data was collected (or at least similar and/or approximate)
• done with only the minimum of data that is necessary
• accurate using up to date data
• done securely (including protection against any potential unlawful processing)
• properly recorded and accounted for
• for storage limitations to be observed.

It is noteworthy that unlike the GDPR the DP Law, as part of the transparency requirement, does not expressly require you as data controller to provide information notices to the Data Subject at the time when you collect the Personal Data.

Lawful bases

The DP Law takes a slightly different systematic approach as to how you can establish a lawful bases for your processing activities. The default position is that the DP Law does not allow the processing of personal data without the explicit consent of the Data Subject unless one of the exception under the DP Law applies.

The consent as to be specific, clear and unambiguous, indicated through a clear positive action in writing or electronically. The Data Subject has to be informed that the consent can be withdrawn. 

The exceptions that you can consider relying on include:

• where processing is in the public interest
• the fact that the Personal Data became available publicly as a result of an act by the Data Subject (a unique exemption that is not available under GDPR)
• where processing relates to legal, judicial or security proceedings
• where processing is needed for the protection of public health and done in accordance with UAE laws
• where processing is necessary for archiving scientific purposes, or historical and statistical studies, provided it is done in compliance with UAE laws
• where the processing is related to the performance of a contract with the Data Subject or is necessary for protection of the interests of the Data Subject
• your requirement to comply with legal and judicial obligations.

Unlike other international legislation, the Data Protection Law does not allow for processing on the basis of the data controller’s "legitimate interests". However, the DP Law has two more exceptions that are particularly interesting in employment and health insurance relationships. As you will also not need consent:

• where processing is needed for medical purposes, including the evaluation of an employee being able to work, providing health or social care or the management of related systems, for treatment or health insurance services, provided any processing is done in accordance with UAE laws
• where you need to process data as a controller in connection with obligations and exercising of your or the Data Subject’s statutory rights in the field of recruitment or social security or the laws concerned with social protection.

Rights of Data Subjects

Data Subjects will have certain key rights as prescribed by and subject to the limitations outlined in the DP Law:

• Right of access to information, free of charge, including for example the type of data processed, the purposes of processing, the sectors or entities with whom the personal data will be shared, details about cross-border transfers, or any decisions made using automated processing.
• Right to request transfer of personal data in an organised and machine readable form.
• Right to correct or delete personal data for example where there is no legitimate purpose, or the processing is no longer necessary for the purpose that the Personal Data was collected for.
• Right to restrict processing for example in a case where the data is claimed to be inaccurate.
• Right to stop processing, especially in case where the processing is done for direct marketing purposes.
• Right to object to automated processing, including profiling.

Data Protection Officer (DPO)

Similar to the requirements under GDPR, if your entity is a data controller or a data processor that meets any of the following criteria it will be required to appoint a DPO:

• Where your processing activity involves using new technologies or technologies processing high volume of data and as a result there is a high risk to the confidentiality and privacy of the Personal Data of a Data Subject.
• In case your processing activities includes a systematic and comprehensive evaluation of Sensitive Personal Data, including Profiling and Automated Processing.
• Where you are processing a large scale of Sensitive Personal Data.

The DPO must have sufficient skills and know-how about personal data protection. It may be an employee of your company or an external party, which may be based inside or outside of the UAE. If your company or group of companies has an existing DPO based in Europe who currently monitors compliance with the GDPR then you may nominate the same person to be the DPO for your entity(ies) that are required to comply with the DP Law.

The DP law outlines several responsibilities of the DPO. At the same time is also obliges your entity as the data controller or processor for which the DPO acts, to provide the required resources to the DPO, not to assign tasks to the DPO that could create a conflict of interest to the DPO role, and also not to terminate or discipline the DPO for a reason relating to his/her performance under the DP Law.

International Transfers

Subject to approval of the UAE Data Office (which has been established under Federal Decree Law No. 44/2021 on Establishing the UAE Data Office) the DP Law allows for the transfer of Personal Data to those jurisdictions deemed to have an adequate level of data protection. Further details of the jurisdictions that have an adequate level of data protection are yet to be released by the Data Office. You may also be permitted to transfer Personal Data to a jurisdiction without an adequate level of protection in the instances where an exemption applies, for example, to countries that have a data protection agreement with the UAE to secure an equivalent level of data protection, where you have secured the explicit consent of the Data Subject. or where the Personal Data transfer is necessary for a contract with a Data Subject.

Obligations in case of breach scenarios

In the almost unavoidable case of a data breach, if the breach would cause prejudice to the privacy, confidentiality and security of "Data Subjects" Personal Data, as a data controller you are obliged to notify the Data Office. The details and applicable timeframes will be outlined in the Regulations. If your entity as the function of a data processor then you have to inform the controller immediately of any breach so that they can take the appropriate actions. 

The penalties for violation of the DP Law are expected to be specified in the Regulations and the Data Office will be in charge for monitoring of all compliance elements.

What should you do next to get ready for compliance with the DP Law?

If the DP Law is applicable to your company(ies) then you should review your current personal data processing activities and evaluate your current compliance situation. Doing so it is important to keep in mind that you may also need to comply with sector specific data protection legislation. 

You should also create, maintain, and update records of Personal Data processing, keeping in mind that once compliance with the DP Law is mandatory, you will have to make such records available for inspection by the Data Office on request. Cross-border transfer activities require particular attention.

Identifying a legal bases for all your processing activities is very important bearing in mind that ‘legitimate interest’ available under GDPR is not a viable option under the DP Law. Processing activities for which no legal bases exist or can be established eg by seeking consent from the Data Subjects, will ultimately have to be ceased.  

Developing appropriate policies and procedures to comply with the several obligations under the DP Law, the assessment on whether you are required to appoint a DPO and/or conduct a data processing impact assessment, as well as taking steps to ensure appropriate technical and organisational measures are in place to secure any Personal Data that you are processing will then have to follow. 

Here to help

While (at least) nine months may seem like a long time to get ready to comply with the new DP Law, experience with GDPR and other data protection legislation has shown that the steps to be taken are time consuming and require coordination between all part of the business. Please reach out to our team at Taylor Wessing in Dubai, we are available to support and guide you through the processes and prepare the appropriate documentation.