The UAE Cabinet passed Federal Decree-Law No. 45 of 2021 addressing the Protection of Personal Data on November 28th, 2021.
The UAE’s PDPL governs the processing of personal data by any data controller or data processor inside the UAE, whether by fully or partially automated methods, or by any other means, for UAE residents living inside or outside the UAE.
The PDPL in the UAE also applies to data controllers or processors who are not based in the UAE but process the personal data of UAE residents.
The UAE’s PDPL will go into effect on January 2, 2022, and will be reinforced by the publication of a set of Executive Regulations in March 2022.
Organizations will have an additional six months to comply with the PDPL after the Executive Regulations are published. The UAE Cabinet, however, has the authority to extend this deadline.
The PDPL covers any firm based in the UAE that processes personal data outside of the UAE, as well as any corporation based outside of the UAE that processes personal data inside the UAE.
The PDPL does not apply to government institutions or data, nor to personal data that is already protected by the data protection regulations of the Abu Dhabi Global Market (ADGM) or the Dubai International Financial Centre (DIFC), or under special legislation (e.g. personal health data and banking and credit personal data).
The PDPL contains a number of controls that regulate the processing of personal data. These restrictions are comparable to data protection standards established by other data protection systems, such as the European Union’s GDPR (EU).
Personal data processing must be fair, transparent, and legitimate, with a specified and clear objective.
Personal data must be accurate, complete, and confined to the processing’s intended purpose. Furthermore, technological and organizational procedures should be in place to correct or remove erroneous personal data while keeping the data safe and secure from any breach or unauthorised processing.
Furthermore, unless anonymized, personal data must not be kept after the processing purpose has been completed.
Unless certain particular exceptions exist, the PDPL forbids the processing of personal data without the agreement of the data subject. Valid consent must meet the following criteria:
1. the data controller must be able to prove consent;
2. consent must be given in a clear, simple, and accessible manner, either electronically or in writing; and
3. the data subject must be informed that they have the right to withdraw their consent at any time.
Data subjects will have a number of rights under the PDPL, including the ability to:
(i). access their personal data from a controller;
(ii) request the transfer of their personal data;
(iii) restrict the processing of personal data in certain circumstances;
(iv) have their personal data corrected or erased (i.e. the right to be forgotten); and
(v) object to certain types of data processing (for example, if it is for the purpose of direct marketing or scientific and research purposes).
Where the Data Office has authorized a country or territory as having specialized personal data protection law in accordance with the UAE, or a sufficient degree of protection for data subjects and their capacity to exercise their rights, the processor can transmit personal data beyond the UAE.
In circumstances where the degree of protection is insufficient, the processor or controller may transmit personal data beyond the UAE provided that the transfer is managed by an agreement that provides an appropriate level of protection for the most significant privacy and confidentiality obligations.
Personal data can also be transferred outside of the UAE with the permission of the data subjects to a country that does not have personal data protection laws, or if it is in the public or judicial interest.
The Executive Regulations, which are set to be promulgated in March 2022, will clarify the requirements for penalties.
Through automation, better data visibility, and identity linkage, iConnect enables and helps businesses on their road to compliance with the UAE’s Personal Data Protection Law.
We help examine your organization’s compliance posture against UAE’s PDPL regulations, discover compliance gaps, and mitigate risks using our multi-regulation, collaborative, and readiness assessment solution.
To maintain compliance with the UAE’s PDPL, you must be able to seamlessly expand assessment capabilities throughout your vendor network.
We help you to set up a solution that can provide seamless access to the required information of your data subjects through a secure, unified gateway.
The danger of any compliance infractions is reduced by automating the distribution and compilation of secure data access reports.