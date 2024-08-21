self

00:00 - Introduction

00:22 - Provisions of the Data Protection Law

00:49 - Applicability of the Data Protection Law

01:37 - Personal Data Defined

03:04 - What Constitutes a Breach?

04:35 - Objectives of the Data Protection Law

04:50 - Conclusion

The United Arab Emirates has issued for the first time a federal law for the protection of personal data, namely the 'Federal Decree-Law no. 45/2021 on the Protection of Personal Data' ('Personal Data Protection Law').

The provisions of the personal data protection law apply to the processing of personal data in the UAE, whether done automatically through electronic systems or via other means. Apart from the newly introduced Law, there exists separate data protection laws applicable to the Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM) and the Dubai Healthcare City.

Applicability

The Personal Data Protection Law is wide-reaching in its applicability which applies to:

1. A data subject who resides or carries out business in the UAE. A data subject refers to any natural person who is the subject of data that could be used to identify such a person;

2. Any controller or processor of data located in the UAE who carries out activities involving processing personal data of data subjects whether residing inside or outside the UAE; and

3. A controller or processor of data located outside the UAE, but carries out activities of processing personal data of data subjects inside the UAE.

'Personal Data' Defined

The personal data protection law clearly defines personal data into two types: Personal Data and Sensitive Personal Data.

Wherein, Personal Data refers to any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes Sensitive Personal Data and Biometric Data.

Whereas, Sensitive Data, refers to any data that directly or indirectly reveal a natural person's family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such people, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his/her health status.

What Constitutes a Breach?

Article 5 of the UAE Personal Data Protection Law lays out the legal parameters for processing personal data and states that personal data must be collected only for a specific and clear purpose and should not be processed at any given period in a manner that is incompatible with that purpose. Further, personal data should be stored securely with adequate technical protections included in place, and it should be stored only with the identity of the data subject anonymized.

The controller of the personal data should obtain the consent of the data subject either in writing or in an electronic format, and the consent letter should indicate the right of the data subject to withdraw such consent at a later date.

A data breach may comprise of breach of information security and personal data by illegal or unauthorized access, including copying, sending, distributing, exchanging, transmitting, circulating or processing data in a way that leads to disclosure thereof to third parties, or damage or alteration thereof during the processes of storage, transmission and Processing.

The UAE Personal Data Protection Law provides for the Council of Ministers to issue a decision, based on the proposal of the Data Office's General Manager, on the acts constituting a breach of a law and the administrative penalties to be imposed.

The new Personal Data Protection Law has come into force on 2 January 2022. One of the main objectives of this law has been to ensure that strict controls are in place for the Processing of personal data, to maintain its security, confidentiality and privacy.

The rights of the data subject have been clearly defined, including the right to object to and stop the processing of his or her personal data if the processing is for direct marketing purposes, including profiling related to direct marketing or whether the processing is for conducting statistical surveys unless the processing is necessary to achieve the public interest.

Originally published 27 December 2023

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.