On 20 September 2021, the United Arab Emirates government issued Federal Decree-Law No. 45 of 2021 or the UAE Personal Data Protection Law. The law has since taken effect on 2 January 2022.
If you have yet to do so, now is the time to hire a
technology risk advisory firm. A technology risk consultant can help you assess your existing technological and digital infrastructures and your current business practices and processes for potential vulnerabilities that could put you in breach of the UAE Personal Data Protection Law.
Read on to learn about the new Personal Data Protection Law's key takeaways, particularly for UAE local businesses.
1. Does the Law Apply to You?
This is probably what you wanted to know as soon as the new decree-law was announced, and we'll try to answer it as simply as possible.
The law applies to you if you are based in the UAE, and you control or process the personal data of natural persons based in or outside the UAE. Even if you are not in the UAE, the law still applies to you as long as you control or process the personal data of natural persons residing or working in the UAE.
In other words, if you are based in Dubai, and you collect, store, transmit, modify, distribute (among other data processes) people's personal data — or direct others to do these things on your behalf — the law applies to you. It doesn't matter that the people whose data you're handling (i.e., your data subjects) are not in the UAE. What matters is that you are.
Likewise, even if you are based outside the UAE, the law still applies to you if your data subjects work and live in the UAE. It doesn't matter that you are not in the UAE. What matters is that your data subjects are.
2. Can You Be Exempted From the Law?
Government authorities are all exempt from the law. Furthermore, if you process data related to health and banking where specific data protection legislation already exists, you are exempt from the PDPL.
Finally, if you operate in a UAE free zone with its own data protection laws (e.g., the Abu Dhabi Global Market, which has its own ADGM Data Protection Regulations), you, too, are exempt from PDPL.
3. Which Data Processes Are Covered?
The law covers all activities, whether manual or automated, electronic or non-electronic, that pertain to the processing of personal data. Below is a non-exhaustive list of data processing activities.
- Collection
- Storage
- Recording
- Organisation
- Adaptation
- Alteration
- Circulation
- Modification
- Retrieval
- Exchange
- Sharing
- Use
- Classification
- Disclosure
- Aligning
- Combining
- Restricting
- Blocking
- Erasing
- Destroying
- Modelling
If you are a person or a company that directs data processing activities or specifies the method, criteria and purpose of such data processing activities, you are a data controller. If you execute any or all of the above processes for yourself or on behalf of another party, you are a data processor. The law applies to you in either case, subject to the conditions specified in the first section of this guide.
4. What Does Personal Data Mean?
Personal data is any data that relates to an identified natural person or who may be identified directly or indirectly by linking various pieces of data. Personal data include:
- Name
- Voice
- Picture
- I.D. number
- Online identifiers
- Location
- Features (physical, psychological, economic, cultural, social)
- Sensitive personal data (one that directly or indirectly reveals a person's identity and background, beliefs, records, health condition, biometric data, etc.)
5. What Does the Law Say?
The PDPL basically says data controllers and processors must not process the personal data of data subjects without these data subjects' consent. There are instances when consent is not required, such as in the case of data that the data subject has made public or data that must be processed to protect the public interest. Generally, however, consent is an inviolable requirement of data processing.
Therefore, if the law applies to you (see the first section of this guide), you must be able to clearly and definitively demonstrate that your data subjects have provided their consent.
The law also provides that data subjects have the right to withdraw their consent and the right to request corrections of inaccurate data. Thus, you must have systems in place that will allow your data subjects to easily and conveniently withdraw their consent or request for the correction of their personal data.
The law also provides that controllers and processors are responsible for securing and maintaining the confidentiality and privacy of their data subjects' data. Thus, you must have systems in place to protect your data from leaks and breaches.
Finally, the PDPL also sets out the requirements for personal data sharing and cross-border transfers. Thus, if you transmit personal data across state/political borders for processing purposes, you will need to have cross-border transfer and sharing systems in place that comply with the PDPL.
6. What Are Your Obligations?
Whether you are a data controller, a processor, or a data protection officer appointed by the controller or processor, your primary obligation is to ensure that you or your organisation comply with the controls, conditions, procedures, and rules stipulated in the UAE Personal Data Protection Law.
Consult a technology risk advisory firm for a complete assessment of your company's readiness to comply with the stipulations of the PDPL. The issuance of the PDL makes a technology risk consultation particularly crucial before
business setup in Dubai or elsewhere in the UAE.
Contact us for a technology risk assessment today.
