GDPR: Key Provisions of the Personal Data Protection Regulation

In 2021, the United Arab Emirates (UAE) enacted new legislation (Federal Decree-Law No. 45 of 2021) regulating the rules for the collection, processing, and use of personal data, aimed at aligning the regulation in this area with international standards and principles of personal data protection. The Federal Data Protection Law is the first federal law developed in collaboration with major private sector technology companies. The law came into effect on January 2, 2022 (hereinafter referred to as the Data Protection Law or the Law).

Alongside the Data Protection Law, the UAE also issued Federal Decree-Law No. 44 of 2021 (Federal Decree-Law No. 44 of 2021 Creation of the UAE Data Office), establishing a special regulator—the UAE Data Office ("Data Office"), which will act as the regulatory body for data protection (hereinafter referred to as the Regulator).

A separate Data Protection Law was adopted in the Dubai International Financial Centre (DIFC)—Law No. 5 of 2020 "On Data Protection."

Key Provisions of the Data Protection Law

   The Data Protection Law, similar to the General Data Protection Regulation (GDPR) of the European Union, includes the following key provisions:

   - Requires the maintenance of records of data processing;

   - Introduces the concepts of "Controller" and "Data Processor";

   - Establishes the legal grounds necessary for data processing;

   - Introduces general data processing requirements comparable to the principles of GDPR;

   - Requires conducting high-risk data protection assessments;

   - Grants data subjects rights equal to those provided by GDPR, including the right to seek compensation in the event of damage resulting from a violation of the Law;

   - Establishes guarantees for cross-border processing of personal data (the Law prohibits international transfers without appropriate data security guarantees in another country);

   - Sets criteria for determining when an organization must appoint a Data Protection Officer (DPO).

Scope of the Data Protection Law

   The Data Protection Law has extraterritorial applicability, similar to the General Data Protection Regulation (GDPR), and applies to any organization established in the UAE that processes personal data of data subjects inside or outside the UAE, as well as to any organization established outside the UAE that processes personal data of data subjects within the UAE.

   The Data Protection Law defines personal data as any information relating to an identified or identifiable living individual, which can be identified directly or indirectly through reference to an identifier, such as a name, identification number, location data, online identifier, or one or several factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.

   Sensitive personal data includes information concerning racial or ethnic origin, community origin, political affiliation or opinions, religious or philosophical beliefs, criminal convictions, membership in trade unions, health status, or sexual life, including genetic and biometric data, if such data are used for the unique identification of an individual.

   The Data Protection Law applies to the processing of personal data by: (i) controllers and data processors registered in the UAE, regardless of whether any processing takes place in the UAE or not; and (ii) controllers and data processors, regardless of their place of registration, if they process personal data in the UAE on a regular basis.

   A controller is defined in the Law as any person who determines the purposes and means of processing personal data either alone or jointly with others. A data processor is defined in the Law as any person who processes personal data on behalf of the controller.

Exclusions from the Scope of the Data Protection Law

   The Law does not apply to:

   - Government data, governmental bodies controlling or processing personal data, as well as personal data processed by law enforcement and judicial authorities.

   - Personal medical data and information or personal banking and credit data if separate legislation regulates such personal data and information.

   - Free zones in the UAE, such as the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM), where their own data protection laws apply.

   - The use of personal data for personal (non-commercial) purposes.

   Information about legal entities is not considered personal data. However, the Data Protection Law may apply to any individual acting as a sole proprietor or a partner in a partnership.

   The Data Protection Law also provides the Regulator with the ability to exempt certain organizations that do not process a large volume of personal data from some or all of the requirements set forth in the Data Protection Law.

Grounds for Data Processing

   As a general rule, the Data Protection Law prohibits the processing of personal data without the consent of the individual—the data subject.

   In certain exceptional cases, data processing is considered lawful without obtaining the consent of the data subject when it is justified and necessary for:

   - The performance of a contract to which the data subject is a party (or to take steps at the request of the data subject prior to entering into such a contract);

   - Compliance with legislation to which the controller is subject;

   - Protection of vital interests of the data subject or another individual;

   - Safeguarding the legitimate interests of the controller or a third party to whom personal data has been provided, except where such interests are overridden by the interests or rights of the data subject.

   Consent must be given voluntarily through a clear and unambiguous positive statement or action. If an action by the controller, the data subject, or any other party (including the performance of contractual obligations) depends on the provision of consent for the processing of personal data, such consent will not be considered voluntarily given for any data processing that is not reasonably necessary to carry out the intended action or when the data is requested in excess of what is necessary for the stated purpose.

Obligations of the Controller/Data Processor

   The Data Protection Law requires controllers and data processors to keep records of personal data (Record of Processing Activities, ROPA).

   The controller or data processor must establish a program to demonstrate compliance with the Law. The level and detail of the program will depend on the scale and resources of the controller, the category of processed personal data, and the risks to data subjects.

   The controller or data processor must implement appropriate technical and organizational measures to ensure that data processing is carried out in accordance with the Law, taking into account:

   - The nature, scope, and purpose of the processing;

   - The risks associated with data processing for the relevant data subject;

   - The prevailing industry practice regarding information security;

   - Reasonable and adequate measures to protect data from any intentional unlawful actions and/or negligent, accidental destruction, loss, alteration, disclosure of personal data or access to it;

   - Reasonable and adequate measures to protect data from other unlawful forms of processing;

   - Ensuring that only those personal data necessary for the specific stated purpose are provided.

   If the controller offers online services through a platform, the platform’s privacy settings must be configured so that the request for information does not exceed the amount of personal data strictly necessary to provide or receive the relevant service, and the data subject must have the right and technical means to (a) choose privacy settings upon first use and (b) easily change those settings subsequently.

   The controller or data processor must establish and maintain a written data protection policy, as well as clearly designate a responsible data security officer.

   Responsibility for compliance with the Law must lie with a relatively high-ranking representative of the company, such as the Chief Executive Officer, Chief Legal Officer, or Managing Director.

Appointment of Data Protection Officer (DPO)

   A company must appoint a DPO in cases where the controller or data processor engages in high-risk data processing activities on a systematic or regular basis.

   High-risk personal data processing means processing that meets one or more of the following criteria:

   (a) processing that involves the implementation of new or other technologies or methods that create a substantial increased risk to the security or rights of data subjects, or impede the data subject’s exercise of their rights;

   (b) processing a significant volume of personal data (including employees and contractor personal data) and if such processing may result in a high risk for the data subject, including due to the sensitivity of the personal data;

   (c) processing includes systematic and comprehensive assessment of data concerning racial or ethnic origin, community origin, political affiliation or opinions, religious or philosophical beliefs, criminal convictions, membership in trade unions, health status or sexual life, including genetic and biometric data, if such data are used for the unique identification of an individual.

   The DPO may be an employee of the company or an external person, who generally must reside in the UAE, unless they are an employee working within a Group of Companies performing a similar function for the Group at an international level.

   Such a person must have the relevant level of qualification to understand local requirements and be available to support the business in the UAE.

   The controller or data processor must publish the DPO’s contact information in such a manner that contact is easily accessible to third parties (including data subjects) and ensures the ability to reach them during working hours.

   The DPO must be provided with adequate resources for the effective, objective, and independent performance of their duties, including direct and unrestricted access to data. The DPO informs and advises the controller/data processor and their employees regarding the application of the Data Protection Law and interacts with the DIFC Commissioner, providing relevant information as required by the Law, except for information protected by the Law and not subject to disclosure.

Data Breach Procedures

Upon becoming aware of any personal data breach that may "harm the privacy, confidentiality, and security of the personal data of the data subject," the controller must inform the data subject and the Regulator of the violations and provide the Regulator with information about the investigation conducted regarding the breach.

Cross-Border Data Transfers 

The Data Protection Law regulates the transfer of personal data to third countries, establishing that such transfers are permissible only if the Regulator has confirmed that the recipient country provides adequate data protection, or if the parties take appropriate safeguards to ensure the protection of personal data during their transfer.

Penalties for Non-Compliance

The Law establishes significant fines for violations and penalties for non-compliance, which can reach up to AED 10 million. In certain cases, the Regulator can prohibit data processing activities and block data subjects from accessing their personal data.

Given the heavy administrative burden for compliance with the Law, it is critical that organisations implement their data protection compliance program as soon as possible.