Get an offer
Inst

Top publication

podcast deep dive into data privacy
UAE Data Protection based on GDPR
Personal Data Protection in United Arab Emirates: UAE law overview

Personal Data Protection in United Arab Emirates: UAE law overview

In today’s world, personal data protection has become one of the key challenges for companies and organizations. The existence of numerous national personal data protection laws worldwide only confirms this statement. As we approach the start of the course “UAE Data Protection based on GDPR”, let’s delve into the Emirates’ privacy regulation, which has undergone significant changes over the past four years.

UAE Data Protection Law

The UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL) came into effect on January 2, 2022. Its main purpose is to ensure proper protection of personal data of UAE citizens and residents by establishing rules for the collection, storage, use, and transfer of personal data.

According to the UAE Data Office, privacy rights are crucial for personal data protection. Personal data is any information relating to a specific natural person (individual) who can be directly or indirectly identified through characteristics such as name, voice, photograph, identification number, electronic identifier, geographical location, or physical, physiological, cultural, and social characteristics.

According to the Article 2(1), the UAE Federal Personal Data Protection Law applies to all organizations and companies operating within the UAE, including foreign companies with representative offices or branches in the country. This means that regardless of scale and industry, all companies must comply with the law’s requirements and ensure the security of their customers’ and employees’ personal data.

It’s worth noting that the law does not apply to the processing of personal data by UAE government authorities, medical, banking, and credit information — these segments in the Emirates are regulated by separate legislation. Companies established and registered in free zones, such as the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM), also do not fall under the law’s scope.

UAE Data Protection Law

Although the UAE personal data protection law shares some similarities with the General Data Protection Regulation (GDPR) requirements, it also has several distinctive features. A key one is the fact that consent of the data subject is the primary legal basis for data processing, as the law provides (except in certain limited cases). However, there are certain exceptions when processing is possible without the subject’s consent, for example:

1) Concluding, amending, or terminating a contract with the data subject has implications for their privacy rights.

2) If the data subject has made the personal data publicly available.

3) To protect the interests of the data subject.

4) If processing is necessary to defend legal data subject rights or within judicial procedures or security procedures.

5) When processing is necessary for specific medical purposes or public health matters.

Additionally, the UAE has the UAE Personal Data Protection Committee Regulations, which contains provisions on procedures and regulations related to the implementation of the Federal Personal Data Protection Law, including personal data protection policies, guidelines, and standards.

Another important document is the Electronic Commerce Law, which, among other things, covers issues related to the processing of personal data in e-commerce and the rights of the data subject. It contains provisions on the collection, use, and storage of personal data in the context of electronic commerce.

There are also other legislative acts that may relate to personal data protection and privacy in the UAE, such as laws on banking secrecy, medical confidentiality, and data management. Various UAE emirates also have their own laws and regulatory acts in this field.

Personal Data Protection Methods

Compliance with personal data protection requirements is not only a legal obligation but also crucial for building customer trust. In an era of increasing digitalization and growth of online services, people are becoming more aware of the importance of protecting their personal data. Companies that show care for their customers’ information security and confidentiality create a positive impression and strengthen their reputation.

To ensure personal data security in the UAE, companies must take several measures. First, it’s important to develop and implement an information security management system that will regulate the collection, storage, and use of personal data in accordance with legal requirements. Companies must also train their employees on personal data processing rules and conduct regular security audits.

The PDPL requires data controllers and processors to implement appropriate technical and organizational measures and actions to ensure a high level of information security. These include:

    • Encryption of the data subject’s personal data.
    • Data pseudonymization.
    • Implementation of measures guaranteeing long-term data protection, integrity, security, and flexibility of processing systems and services.
    • Implementation of measures that guarantee timely access to personal data in case of technical failure or other malfunctions.

In case of questions or uncertainties regarding personal data protection requirements in the UAE, it is recommended to seek consultation from lawyers specializing in this area of law.

Consequences of Data Breaches and Other Violations

Non-compliance with personal data protection requirements can have serious consequences for companies. In case of law violation, UAE state authorities may apply administrative measures, including fines, suspension of company operations, license revocation, or restriction of the right to enter into government contracts. Additionally, violation of personal data protection requirements may lead to criminal liability for company executives.

Fines are one of the most common administrative measures that can be applied to companies for violating personal data protection law requirements. Their size depends on the nature of the violation and can be significant. Under UAE legislation, fines can reach up to 5 million dirhams (approximately 1.36 million USD) or a certain percentage of the company’s annual turnover, depending on the violation’s severity.

In cases of serious violations that may be classified as criminal offenses, company executives may also be subject to criminal liability: arrest, fines, or imprisonment depending on the violation’s severity.

It’s important to note that the application of administrative and criminal measures depends on the specific circumstances of each case of law violation. The competent UAE state authorities have the right to make decisions on applying measures in accordance with legislation and their powers.

Speaking of which, the main state authority responsible for UAE PDPL compliance is the Data Office, established under separate UAE Federal Law No. 44. It is responsible for developing policies and standards in personal data protection, as well as conducting inspections and investigating violations of the law.

Also, each UAE emirate has its own personal data protection authority responsible for supervising and controlling compliance with personal data protection law requirements in its territory. These authorities can conduct inspections and investigate violations in accordance with the powers granted to them by legislation.

Here we should also mention the Telecommunications Regulatory Authority — a federal body that also plays a role in personal data protection. The Authority oversees the information technology and telecommunications sector in the UAE and can conduct inspections and investigate violations in this area, including violations of personal data protection law.

These authorities have the power to conduct inspections, require information and documents related to personal data processing, and apply administrative and criminal measures if violations are detected. They also provide guidance and consultation to companies and individuals on personal data protection issues in the UAE.

How to Bring a Company into Compliance with the UAE Law?

To comply with PDPL requirements, businesses need to take several actions. Let’s look at the key steps:

  1. Conduct a data inventory (develop a personal data register) and understand what personal data is being processed, whether sensitive information is being processed.
  2. Assess the need to appoint a DPO.

According to Article 10 of PDPL, the data controller and processor must appoint a data protection officer in any of the following cases:

    • If processing may lead to a high risk of data security breach and serious consequences for the subject.
    • If processing includes systematic and general assessment of sensitive personal data, including profiling and automation.
    • When processing a large volume of sensitive personal data.

3. Ensure transparent and open information to subjects about how their personal data is processed (the simplest way is to publish a Privacy Policy that will contain all necessary information).

4. Develop official policies and procedures (e.g., consent obtaining procedure, etc.), and remember to keep them constantly updated.

5. Have reliable data breach notification mechanisms.

6. Map your processes and identify cross-border data flows from UAE to other countries, and fulfill strict requirements for cross-border data transfer in accordance with PDPL.

7. Apply technical and organizational security measures to protect personal data.

8. Conduct data protection impact assessments (DPIA), processor assessments, and other risk assessments.

How Data Privacy Office Can Help

Based on numerous client requests, our team has developed a training program on Emirates privacy regulation “UAE Data Protection based on GDPR”. In the course, you can deeply understand the requirements of UAE and two main free economic zones (DIFC, ADGM) in comparison with GDPR.

Additionally, our team can develop a corporate training program specially adapted to your business needs. For all questions, you can freely contact our managers who will gladly guide you through payment conditions, training format, and more.

Conclusion

In conclusion, it can be noted that the UAE Personal Data Protection Law (PDPL) represents a comprehensive regulatory system that:

    • Establishes strict rules for personal data processing for companies operating in the UAE.
    • Provides for serious sanctions for violations, including large fines up to 5 million dirhams and possible criminal liability.
    • Requires companies to implement specific technical and organizational security measures, including data encryption and pseudonymization.

To comply with PDPL requirements, companies need to conduct thorough preparation, including data inventory, DPO appointment when necessary, development of policies and procedures, and ensuring transparency in personal data processing.

Compliance with these requirements is not only a legal obligation but also contributes to strengthening customer trust and maintaining a positive company reputation.

UAE Data Protection based on GDPR

Contact us

Fill in the form and we will contact you as soon as possible!

Inst
What is GDPR — General Data Protection Regulation?
What is GDPR?

A full guide on General Data Protection Regulation or GDPR for short. Here you’ll learn what is personal data, what are the rights of subjects, how to comply with the regulation.

Learn more

Contact Sales

Learn what Data Privacy Office Europe can do for you.

Fill out the form and we will contact you as soon as possible!