In the United Arab Emirates (UAE), there are federal data protection laws for onshore operations as well as laws specific to offshore financial centers labeled as ‘free zones.’ These zones, such as the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM), are governed under their legal frameworks. Furthermore, the Dubai Healthcare City (DHCC), a healthcare-free zone in Dubai, also has its own set of regulations. In addition to these, the UAE has several other laws and regulations that include provisions for data protection. These laws and regulations are specific to different emirates and sectors. However, the UAE has not signed any international agreements concerning data protection.
On 28 November 2021, the UAE Cabinet announced that it had enacted Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL 2021), which was issued on 20 September 2021. The PDPL 2021 entered into force on 2 January 2022. Prior to then, the UAE did not have a stand-alone federal data protection law.
The PDPL 2021 provides for further executive regulations to be enacted to give more detail on the data protection requirements businesses must meet. The executive regulations have yet to be issued, and there is no indication when this will happen.
The PDPL applies to:
- Processing of personal data of people residing in the UAE or people having a business within the UAE;
- each Controller or Processor inside the UAE, irrespective of whether the personal data they process is of individuals inside or outside the UAE
- each Controller or Processor located outside the UAE, who carries out processing activities of Data Subjects that are inside the UAE.
The PDPL keeps intact existing data protection and privacy laws within the UAE’s financial free zones, DIFC and ADGM, as well as the rules of the Dubai Health Care City (links to our summaries are above) as well as applicable onshore laws regulating health data and banking and credit data. For this reason, the data protection landscape in the UAE (and the wider GCC region) remains complex to navigate and somewhat fragmented, meaning that the application of the PDPL will need to be considered carefully.
There are several UAE federal-level laws that contain various provisions in relation to privacy and the protection of personal data:
Constitution of the UAE (Federal Law 1 of 1971)
Crimes and Penalties Law (Federal Law 31 of 2021, abrogating Federal Law 3 of 1987)
Federal Decree-Law No. 34 of 2021 on Combatting Rumors and Cybercrimes
Regulating Telecommunications (Federal Law by Decree 3 of 2003 as amended), which includes several implementing regulations/policies enacted by the Telecommunications and Digital Government Regulatory Authority (‘TDRA’) in respect of data protection of telecoms consumers in the UAE.
There are also some federal-level sectoral regulations in banking and finance and in health, which should be considered.
The relevant general data protection framework in the DIFC is the Data Protection Law, DIFC Law No. 5 of 2020 (DIFC DP Law), and the updated Data Protection Regulations. The framework was enacted on 21 May 2020 and came into force on 1 July 2020.
The DIFC DP Law applies to companies incorporated in the DIFC that process personal data, regardless of whether the processing takes place in the DIFC or abroad, and, in certain circumstances, also applies to foreign companies which process personal data in the DIFC. The DIFC DP Law aligns closely with the GDPR and prescribes detailed rules and regulations regarding the collection, handling, disclosure, and use of personal data in the DIFC. There are certain minor differences between the DIFC DP Law and the GDPR, including the requirements and timelines for reporting personal data breaches and the penalty structures.
The Office of the Commissioner of Data Protection is the independent regulator set up to uphold information rights in the public interest and data privacy for individuals in or from the DIFC.
While the DIFC is a common law jurisdiction with its own civil and commercial laws, UAE criminal laws continue to apply within the DIFC.
The relevant data protection law in the ADGM free zone is the ADGM Data Protection Regulations 2021 (ADGM DPR). The regulations were issued on 11 February 2021 and published on 14 February 2021. A transition period for enforcement of 12 months for existing businesses – i.e. 14 February 2022 – and six months for new companies – i.e. 14 August 2021 – applied. The ADGM DPR applies to the processing of personal data within the ADGM. Similar to the DIFC DP Law, the ADGM DPR draws on international standards and best practices, particularly the GDPR.
The ADGM DPR established the independent Office of Data Protection (ODP) headed by the newly created commissioner of data protection.
Similar to with the DIFC, whilst the ADGM is a common law jurisdiction with its own civil and commercial laws, UAE criminal laws continue to apply within the ADGM.
There are no data protection registration requirements in the PDPL.
Yes, you will need to appoint a DPO. The DPO can be a staff member or someone working on a service contract and does not necessarily need to be located in the UAE.
Under the PDPL, Personal Data must be processed according to the following controls:
- Processing must be made in a fair, transparent, and lawful manner;
- Personal Data must be collected for a specific and clear purpose and may not be processed at any subsequent time in a manner incompatible with that purpose. However, Personal Data may be processed if the purpose of Processing is similar or close to the purpose for which such data is collected;
- Personal Data must be sufficient for and limited to the purpose for which the Processing is made;
- Personal Data must be accurate and correct and must be updated whenever necessary;
- Appropriate measures and procedures must be in place to ensure the erasure or correction of incorrect Personal Data;
- Personal Data must be kept securely and protected from any breach, infringement, or illegal or unauthorized Processing by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard;
- Personal Data may not be kept after fulfilling the purpose of processing thereof. It may only be kept in the event that the identity of the Data Subject is anonymized using the “Anonymization” feature;
- Any other controls set by the Executive Regulations of this Decree-Law.
Legal Bases for Processing
The PDPL prohibits Processing Personal Data without the consent of the Data Subject, except in the following cases:
- If the Processing is necessary for the Controller or Data Subject to fulfill his/her obligations and exercise his/her legally-established rights in the field of employment, social security, or laws on social protection to the extent permitted by those laws;
- if the Processing is necessary to perform a contract to which the Data Subject is a party or to take, at the request of the Data Subject, procedures for concluding, amending, or terminating a contract;
- if the Processing is necessary to protect the interests of the Data Subject;
- if the Processing is for Personal Data that has become available and known to the public by an act of the Data Subject;
- if the Processing is necessary to protect the public interest;
- if the Processing is necessary to initiate or defend against any actions to claim rights or legal proceedings or related to judicial or security procedures;
- if the Processing is necessary for the purposes of occupational or preventive medicine, for assessment of the working capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services, in accordance with the legislation in force in the State;
- if the Processing is necessary to protect public health, including the protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of health care, medicines, drugs, and medical devices, in accordance with the legislation in force in the State;
- if the Processing is necessary for archival purposes or for scientific, historical, and statistical studies in accordance with the legislation in force in the State;
- if the Processing is necessary to fulfill obligations imposed by other laws of the State on Controllers;
- any other cases set by the Executive Regulations.
Data subjects enjoy a range of rights to control the processing of their personal data replicating those in the EU GDPR. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period, thereby a further two months where the request is onerous.
Right to obtain information (‘data access’)
A Data Subject is entitled to request access to and obtain the following information without charge:
- the types of his/her Personal Data that is processed;
- purposes of Processing;
- decisions made based on Automated Processing, including Profiling;
- targeted sectors or establishments with which his/her Personal Data is to be shared, whether inside or outside the State;
- controls and standards for the periods of storing and keeping his/her Personal Data;
- procedures for correcting, erasing or limiting the Processing and objection to his/her personal data;
- protection measures for Cross-Border Processing;
- procedures to be taken in the event of a breach or infringement of his/her Personal Data, especially if the breach or infringement poses a direct and serious threat to the privacy and confidentiality of his/her Personal Data;
- the process of filing complaints with the Data Office.
Right to request Personal Data transfer (‘data portability’)
The Data Subject has the right to obtain his/her Personal Data provided to the Controller for Processing in a structured and machine-readable manner, so long as the Processing is based on the Consent of the Data Subject or is necessary for the fulfillment of a contractual obligation and is made by automated means.
The Data Subject has the right to request the transfer of his/her Personal Data to another Controller whenever this is technically feasible.
Right to correction or erasure (‘right to be forgotten’)
The Data Subject has the right to request the correction or completion of his/her inaccurate Personal Data held with the Controller and has the right to request the erasure of his/her Personal Data held with the Controller in any of the following cases:
- if his/her Personal Data is no longer required for the purposes for which it is collected or processed;
- if the Data Subject withdraws his/her consent on which the Processing is based;
- if the Data Subject objects to the Processing or if there are no legitimate reasons for the Controller to continue the Processing;
- if his/her Personal Data is processed in violation of the provisions hereof and the legislation in force, and the erasure process is necessary to comply with the applicable legislation and approved standards in this regard.
Right to restriction of Processing
The Data Subject has the right to oblige the Controller to restrict and stop Processing in any of the following cases:
- if the Data Subject objects to the accuracy of his/her Personal Data, in which case the Processing shall be restricted to a specific period allowing the Controller to verify the accuracy of the data;
- if the Data Subject objects to the Processing of his/her Personal Data in violation of the agreed purposes;
- if the Processing is made in violation of the provisions hereof and the legislation in force.
The Data Subject has the right to request the Controller to continue to keep his/her Personal Data after fulfillment of the purposes of Processing if such data is necessary to complete procedures related to claiming or defending rights and legal proceedings.
Right to stop Processing.
The Data Subject has the right to object to and stop the Processing of his/her Personal Data in any of the following cases:
- If the Processing is for direct marketing purposes, including profiling related to direct marketing;
- if the Processing is for the purposes of conducting statistical surveys unless the Processing is necessary to achieve the public interest;
- if the Processing is in violation of the controls referred to in Article 5 (referred to above)
The right not to be subject to automated decision-making, including profiling (Article 18)
The Data Subject has the right to object to decisions issued with respect to Automated Processing that have legal consequences or seriously affect the Data Subject, including Profiling. However, the Data Subject may not object to the decisions issued with respect to Automated Processing in the following cases:
- if the Automated Processing is included in the terms of the contract entered into between the Data Subject and Controller;
- if the Automated Processing is necessary according to other legislation in force in the State;
- if the Data Subject has given his/her prior Consent on the Automated Processing.
Unlike the GDPR, the PDPL does not impose more stringent controls around the processing of Sensitive Personal Data; however, if a Controller or Processor is Processing that involves a systematic and comprehensive assessment of Sensitive Personal Data, including profiling and automated processing, or if the Processing will be made on a large amount of Sensitive Personal Data, then the Controller or Processor must appoint a Data Protection Officer
DPIA must be conducted before Processing that will use any of the modern technologies that would pose a high risk to the privacy and confidentiality of the Personal Data of the Data Subject, if the Processing will be made on a large amount of Sensitive Personal Data (Article 21)
The PDPL imposes limitations on the international transfer of Personal Data to the outside of the UAE. Similar to the concept of “adequate jurisdictions” in the EU, the Data Office is expected to approve certain territories as having sufficient provisions, measures, controls, requirements, and rules for protecting the privacy and confidentiality of personal data. There are also various other exceptions that exporters can rely on, although further details are awaited from the Data Office.
SVF Regulation requires that customer data (including customer identification and transaction records) are required to be stored and maintained in the UAE.
ICT in Health Fields Law requires that Health Information and data related to the health services provided in the UAE may not be stored, processed, generated, or transferred outside the UAE, unless in the cases defined by virtue of a decision issued by the Health Authority of the relevant emirate in coordination with the Federal Ministry of Health
PDPL requires that the Controller shall, immediately upon becoming aware of any infringement or breach of the Personal Data of the Data Subject that would prejudice the privacy, confidentiality, and security of such data, report such infringement or breach and the results of the investigation to the Office within such period and in accordance with such procedures and conditions as set by the Executive Regulations. At the date of writing this update, the Executive Regulations have not yet been published.
There are no general laws in the UAE law covering electronic marketing,
There PDPL does not expressly cover online privacy; however, the PDPL will apply to Processing online.
The PDPL does not specify penalties.
At the date of writing this update, the Data Office responsible for administering and enforcing the PDPL has not yet been established.
The UAE Central Bank is responsible for its Consumer Protection Regulation and Standards and the SVF Regulation.
The Ministry of Health and Prevention is responsible for the ICT in Health Fields Law.
The Telecommunications and Digital Government Regulatory Authority is responsible for the regulation of its Consumer Protection Regulations.