Personal Data Protection in United Arab Emirates: UAE law overview
- 30.01.2025
- Data Privacy, Top articles
In today’s world, personal data protection has become one of the key challenges for companies and organizations. The existence of numerous national personal data protection laws worldwide only confirms this statement. As we approach the start of the course “UAE Data Protection based on GDPR”, let’s delve into the Emirates’ privacy regulation, which has undergone significant changes over the past four years.
Table of Contents
UAE Data Protection Law
The UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection came into effect on January 2, 2022. Its main purpose is to ensure proper protection of personal data of UAE citizens and residents by establishing rules for the collection, storage, use, and transfer of personal data.
According to the UAE Data Office, privacy rights are crucial for personal data protection. Personal data is any information relating to a specific natural person (individual) who can be directly or indirectly identified through characteristics such as name, voice, photograph, identification number, electronic identifier, geographical location, or physical, physiological, cultural, and social characteristics.
According to the Article 2(1), the UAE Federal Personal Data Protection Law applies to all organizations and companies operating within the UAE, including foreign companies with representative offices or branches in the country. This means that regardless of scale and industry, all companies must comply with the law’s requirements and ensure the security of their customers’ and employees’ personal data.
It’s worth noting that the law does not apply to the processing of personal data by UAE government authorities, medical, banking, and credit information — these segments in the Emirates are regulated by separate legislation. Companies established and registered in free zones, such as the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM), also do not fall under the law’s scope.
Although the UAE personal data protection law shares some similarities with the General Data Protection Regulation (GDPR) requirements, it also has several distinctive features.
Article: What is GDPR?
A key distinctive feature is the fact that consent of the data subject is the primary legal basis for data processing, as the law provides (except in certain limited cases). However, there are certain exceptions when processing is possible without the subject’s consent, for example:
-
- Concluding, amending, or terminating a contract with the data subject has implications for their privacy rights.
- If the data subject has made the personal data publicly available.
- To protect the interests of the data subject.
- If processing is necessary to defend legal data subject rights or within judicial procedures or security procedures.
- When processing is necessary for specific medical purposes or public health matters.
Additionally, the UAE has the UAE Personal Data Protection Committee Regulations, which contains provisions on procedures and regulations related to the implementation of the Federal Personal Data Protection Law, including personal data protection policies, guidelines, and standards.
Another important document is the Electronic Commerce Law, which, among other things, covers issues related to the processing of personal data in e-commerce and the rights of the data subject. It contains provisions on the collection, use, and storage of personal data in the context of electronic commerce.
There are also other legislative acts that may relate to personal data protection and privacy in the UAE, such as laws on banking secrecy, medical confidentiality, and data management. Various UAE emirates also have their own laws and regulatory acts in this field.
⚡️ Deepen your understanding of the UAE’s unique privacy framework.
Join our UAE Data Protection based on GDPR course to explore the law, key documents, and how UAE requirements differ from the GDPR with practical insights and expert-led sessions.
Personal Data Protection Methods
Compliance with personal data protection requirements is not only a legal obligation but also crucial for building customer trust. In an era of increasing digitalization and growth of online services, people are becoming more aware of the importance of protecting their personal data. Companies that show care for their customers’ information security and confidentiality create a positive impression and strengthen their reputation.
To ensure personal data security in the UAE, companies must take several measures. First, it’s important to develop and implement an information security management system that will regulate the collection, storage, and use of personal data in accordance with legal requirements. Companies must also train their employees on personal data processing rules and conduct regular security audits.
The requires data controllers and processors to implement appropriate technical and organizational measures and actions to ensure a high level of information security. These include:
-
- Encryption of the data subject’s personal data.
- Data pseudonymization.
- Implementation of measures guaranteeing long-term data protection, integrity, security, and flexibility of processing systems and services.
- Implementation of measures that guarantee timely access to personal data in case of technical failure or other malfunctions.
In case of questions or uncertainties regarding personal data protection requirements in the UAE, it is recommended to seek consultation from lawyers specializing in this area of law.
Consequences of Data Breaches and Other Violations
Non-compliance with personal data protection requirements can have serious consequences for companies. In case of law violation, UAE state authorities may apply administrative measures, including fines, suspension of company operations, license revocation, or restriction of the right to enter into government contracts. Additionally, violation of personal data protection requirements may lead to criminal liability for company executives.
Fines are one of the most common administrative measures that can be applied to companies for violating personal data protection law requirements. Their size depends on the nature of the violation and can be significant. Under UAE legislation, fines can reach up to 5 million dirhams (approximately 1.36 million USD) or a certain percentage of the company’s annual turnover, depending on the violation’s severity.
In cases of serious violations that may be classified as criminal offenses, company executives may also be subject to criminal liability: arrest, fines, or imprisonment depending on the violation’s severity.
It’s important to note that the application of administrative and criminal measures depends on the specific circumstances of each case of law violation. The competent UAE state authorities have the right to make decisions on applying measures in accordance with legislation and their powers.
Speaking of which, the main state authority responsible for UAE compliance is the Data Office, established under separate UAE Federal Law No. 44. It is responsible for developing policies and standards in personal data protection, as well as conducting inspections and investigating violations of the law.
Also, each UAE emirate has its own personal data protection authority responsible for supervising and controlling compliance with personal data protection law requirements in its territory. These authorities can conduct inspections and investigate violations in accordance with the powers granted to them by legislation.
Here we should also mention the Telecommunications Regulatory Authority — a federal body that also plays a role in personal data protection. The Authority oversees the information technology and telecommunications sector in the UAE and can conduct inspections and investigate violations in this area, including violations of personal data protection law.
These authorities have the power to conduct inspections, require information and documents related to personal data processing, and apply administrative and criminal measures if violations are detected. They also provide guidance and consultation to companies and individuals on personal data protection issues in the UAE.
How to Bring a Company into Compliance with the UAE Law?
To comply with requirements, businesses need to take several actions. Let’s look at the key steps:
1. Conduct a data inventory (develop a personal data register) and understand what personal data is being processed, whether sensitive information is being processed.
2. Assess the need to appoint a DPO.
According to Article 10, the data controller and processor must appoint a data protection officer in any of the following cases:
-
- If processing may lead to a high risk of data security breach and serious consequences for the subject.
- If processing includes systematic and general assessment of sensitive personal data, including profiling and automation.
- When processing a large volume of sensitive personal data.
3. Ensure transparent and open information to subjects about how their personal data is processed (the simplest way is to publish a Privacy Policy that will contain all necessary information).
4. Develop official policies and procedures (e.g., consent obtaining procedure, etc.), and remember to keep them constantly updated.
5. Have reliable data breach notification mechanisms.
6. Map your processes and identify cross-border data flows from UAE to other countries, and fulfill strict requirements for cross-border data transfer.
7. Apply technical and organizational security measures to protect personal data.
8. Conduct data protection impact assessments (DPIA), processor assessments, and other risk assessments.
Conclusion
In conclusion, it can be noted that the UAE Personal Data Protection Law represents a comprehensive regulatory system that:
-
- Establishes strict rules for personal data processing for companies operating in the UAE.
- Provides for serious sanctions for violations, including large fines up to 5 million dirhams and possible criminal liability.
- Requires companies to implement specific technical and organizational security measures, including data encryption and pseudonymization.
To comply with requirements, companies need to conduct thorough preparation, including data inventory, DPO appointment when necessary, development of policies and procedures, and ensuring transparency in personal data processing.
Compliance with these requirements is not only a legal obligation but also contributes to strengthening customer trust and maintaining a positive company reputation.
Personal Data Protection Help and Support under GDPR and National Laws
We help establish systematic personal data protection practices through training and consulting services.
Consulting services on data privacy according to GDPR, ISO 27701 and other international standards.
EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process.
A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice.
Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.
Reach Data Privacy & AI Compliance
Fill in the form and get a free consultation.
- Implementation of 7+ legal frameworks.
- Individual and corporate training on the GDPR, and international standards.
- Development of personal data protection systems within organizations.
- Custom services upon request.
