The United Arab Emirates Federal Decree-Law No. 45/2021, otherwise and colloquially denoted as the 'Personal Data Protection Law' (PDPL) came into effect on January 2nd 2022.

The PDPL is an outcome of a long-deliberated plan to enhance standards related to data protection of the subjects and their privacy per international standards. The PDPL is the first formal data protection law enacted within the UAE mainland concerning the collection and processing of personal data of all subjects residing in the UAE.

The provisions of Article (2) 'Scope of Application of the Decree-Law,' concur that the storage, handling, exchange, retrieval, dissemination, etc. of personal information applies to data subjects who have a domicile or place of business within the State, and that the processing of such data can be undertaken by controllers or processors who are both in and outside of the State. Nonetheless, the stipulations within the decree-law do not apply to government data, the authorities who control and process personal data, data belonging to the UAE security and judicial authorities, to health or financial data (when there exists separate 'special' legislation governing its protection and processing), nor companies or organizations within the 'free zones' of the State.

Although the PDPL is the first comprehensive federal data protection law, prior to its promulgation, the UAE had 'offshore' data protection laws for the two main financial free trade zones (FTZs), namely the Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM). These FTZs refer to areas whereby companies operating within are exempt from taxation and in which, expatriates, investors, and relevant shareholders can obtain complete ownership of their operations. As such, sector-specific laws and regulations apply to FTZs.

The PDPL aims to ensure respect for the confidentiality of data subjects by application of the Law to adequately manage and protect personal information according to stipulated requirements. According to Article (11) 'Roles of Data Protection Officer,' as the sole regulatory authority, the Data Office will remain liable for overseeing the implementation of the framework, implementing resolutions, and ensuring the compliance of the Controller and Processors through:

  • Addressing complaints and requests relating to personal data grievances and questions in accordance with the provisions stipulated by the Decree-Law.
  • Providing technical advice, recommendations, and risk assessment procedures based on evaluating the Personal Data protection systems and Intrusion Protection systems implemented by controllers and processors.
  • (In regard to Data Protection Officers) Acting as the mediatory between the controller or processor (and Office when deemed necessary) when evaluating the application of provisions related to the Decree-Law.

The PDPL aims to protect personal data, sensitive personal data, and biometric data. For the sake of semantics, the difference between the two categories is that the former precludes the latter and biometric data. Hence, personal data refers to any data related to a data subject by reference to their name, voice, picture, ID number, geographical or electronic identifiers, or other biometric categories such as physical, physiological, cultural, or social characteristics.

Sensitive personal data refers to any information that reveals an individual's race, ethnicity, political/philosophical views, religious beliefs, criminal record, or data related to their physical, psychological, genetic, or sexual state. Organizations established within the Emirates can process the personal information of data subjects physically located within the country; a company established outside of the UAE but processing the data of subjects inside the country will also be held liable to follow the UAE Federal Data Protection Law.

Articles (5) 'Personal Data Protection Controls' and (6) 'Conditions for Consent to Data Processing' stipulate that the processing of a subject's personal data without prior consent suffices as an obstruction of transparent and lawful privacy/protection clauses. As stated within Article (5)2, the collection of personal data must be for a clear purpose and cannot be processed at a 'later stage' that is contrary to the purpose of the pursuant action. As per Article (6)2, it is also within the rights of the data subject to withdraw their consent at any time throughout the course of processing – this withdrawal will not affect the legitimacy of any processing undertaken prior to when consent was revoked.

In order to ensure that security requirements are met, the PDPL ensures compliance from both controller and processor through strict enforcement of standards and organizational measures. Articles (7), 'The General Obligations of the Controller' and (8) 'The General Obligations of the Processor,' discuss the actions carried out to ensure that data is not subject to breath, corruption, or manipulation.

These include:

  • Restricting the processing of personal data to the specific purpose for which it was undertaken; this shall affect factors such as the scale and kind of data being collected, the type of processing taking place, the duration for which the storage of the collected data will last, and accessibility to it.
  • A record of the personal data processed, which will also contain details on the Controller, Data Protection Officer, the data of those who are authorized to access the Data Subject's information, the timeframe of access, tracking of modifications/erasure, and any relevant information on the cross-border transfer of data.
  • Providing the Office with any information requested in support of their functions as stated within the Degree-Law and per their Executive Regulations.
  • Erasing data following the expiration of the processing timeframe and securing the electronic devices used for the collection of data and handling thereof.
  • Should a subject's data be processed by joint Processors, a contract between both parties will clearly designate and define their respective duties and obligations; both processors will be held liable for the pursuance of their roles.

Finally, in the case of a data breach, Article 9, 'Notification of Personal Data Breach,' posits that the Controller must immediately notify the Office (and data subject) of any threat to the subject's confidentiality, privacy, and the security of their personal data as discovered through investigation. The notification must be supplemented by a description of the nature and records of the breach, information on the Data Protection Officer, expected effects of the Breach, corrective actions taken to minimize effects thereof, and any other requirements as proposed by the Office.

As consumers and data subjects become more aware of how their data is being processed, evaluated, and accessed by third-parties and organizations, there is growing consensus that privacy and security rights must simultaneously expand. The UAE's Personal Data Protection Law is a step towards the reification of their commitment to and alignment with international guidelines for data protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.