ARTICLE
25 November 2019

Employee Monitoring In The UAE

BA
BSA Ahmad Bin Hezeem & Associates LLP

Contributor

BSA is a full-service law firm headquartered in Dubai, UAE, with 9 offices across the region. We are deeply rooted in the region, offering a competitive advantage to clients seeking advice that works in the real world and is truly in tune with the market. We have rights of audience in every country where we have an office, means that we can litigate all the way from the boardroom to the courtroom.
The United Arab Emirates (‘UAE') is a federation of seven emirates, and all emirates are subject to the UAE constitution and a set of federal laws while retaining the right to administer
United Arab Emirates Privacy

1. Governing Texts

1.1. Legislation relevant to employee monitoring

The United Arab Emirates (‘UAE’) is a federation of seven emirates, and all emirates are subject to the UAE constitution and a set of federal laws while retaining the right to administer their own internal aairs and to manage their wealth through a local legal infrastructure.

The UAE also include many free-zones, some of which administer their own set of laws and court systems such as the Dubai International Financial Center (‘DIFC’) and Abu Dhabi Global Market (‘ADGM’).

For the purpose of the present guidelines, we will, when and if relevant, refer to the laws applicable on a Federal level as the ‘Federal Laws’, local level as the ‘Local Laws’ and/or the laws enacted by certain free-zone authorities as the ‘Free-zone Laws’.
The UAE does not have one specific law that regulates the right of employers to monitor employees, although many texts included in existing laws and regulations in the UAE will have an impact on how employees can be supervised by their employers. These include:

Federal Laws

  • The UAE Constitution of 1971 (‘the Constitution’);
  • The Penal Code of 1987 (Federal Law No. 3 of 1987) (‘the Penal Code’);
  • Federal Decree-Law No. 5 of 2012 on Combating Cybercrimes (‘the Cybercrimes Law’);
  • The UAE Labour Law of 1980 (Federal Law No. 8 of 1980) (‘the Labour Law’); and
  • Federal Decree-Law No. 3 of 2003 regarding the Organisation of the Telecommunications Sector (‘the Telecommunications Law’).

Free-zone Laws

The ADGM Employment Regulations of 2015 (‘the ADGM Employment Regulations’) apply to all organisations that are licensed by the ADGM and contain a section on the protection of personal data of individuals employed by companies within the ADGM.

We note that ‘personal data’ is defined in the ADGM Employment Regulations as any information relating to an identified natural person or to an identifiable natural person whether directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her biological, physical, biometric, physiological, mental, economic, cultural, or social identity.

The term ‘processing’, in relation to personal data, means collection, recording or storage of the personal data or carrying out any operation or set of operations on the personal data including:

  • organisation, adaptation, or alteration of the personal data;
  • retrieval, consultation, or use of the personal data;
  • disclosure by transmission, dissemination, or otherwise making available; or
  • alignment, combination, blocking, erasure, or destruction of the personal data.

Similarly, the DIFC Data Protection Law 2007 (DIFC Law No.1 of 2007) and its amendments (‘the DIFC Data Protection Law’) regulates and protects activities related to the personal data of individuals.

Under the DIFC Data Protection Law, the term ‘data controller’ is defined as any person in the DIFC who determines the purposes and means of the processing of personal data, and the term ‘data subject’ refers to the individual to whom personal data relates, and the ‘Commissioner of Data Protection’ is the person appointed to administer the DIFC Data Protection Law. ‘Personal data’ means any information which is:

  • being processed by means of equipment operating automatically in response to instructions given for that purpose;
  • recorded with the intention that it should be processed by means of such equipment; or
  • recorded as part of a relevant filling system or with the intention that it should form part of a relevant filling system

The term ‘processing of personal data’ refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

Dubai Healthcare City (‘DHCC’) Regulation No. 7 of 2013 provides for a data protection system, more specifically regarding the transmission of confidential information, which is intended to control the way in which medical facilities manage and use confidential patient information and the patients’ rights over their own health information and health records.

1.2. Sector-specific legislation relevant to employee monitoring

There are currently no sector-specific legislations relevant to employee monitoring in the UAE but rather a combination of potentially applicable Federal, Local, and Free-zone Laws that may be applicable to employers and employees, as set out in section 1.1 above.

1.3. Guidelines from supervisory authorities

The UAE Ministry of Human Resources & Emiratisation (‘MOHRE’) is considered the supervisory authority to administer and ensure compliance with the provisions of the Labour Law. In addition, the MOHRE regulates the relationship between employee/employer. However, the MOHRE has not published any guidelines that specifically address how employees may be monitored by their employers.
As for the DIFC, we note that the DIFC Data Protection Law appoints the Commissioner of Data Protection as the supervisory authority to administer and ensure compliance with the DIFC Data Protection Law.
On the other hand, the ADGM has created the ADGM Registration Authority (‘the Registrar’) which is an independent body which has the powers to administer data protection regulations and enforce its provisions.

1.4. Notable decisions, i.e. case law or decisions from supervisory authorities

For the time being, there is no data protection authority or similar governmental body established at a federal level in the UAE. Therefore, there are no notable decisions to date.

2. Telephone

2.1. What are the rules for recording telephone conversations?

The Federal Laws do not specifically provide rules for recording employees’ telephone conversations in the workplace. However, the Federal, Local, and Free-zones Laws guarantee the right to privacy and the right to safeguard personal data, which may be applicable to instances such as recording telephone conversations in the workplace. The relevant provisions are:

  • Article 31 of the UAE Constitution which states an individual enjoys ‘freedom of communication by post, telegraph or other means of communications and the secrecy thereof shall be guaranteed in accordance with the law’;
  • Article 15 of the Cybercrimes Law which penalises ‘the capture and interception of any communication intentionally and without permission through an information network’;
  • Article 72 of the Telecommunications Law penalises copying or disclosing the content of any sort of communication without the right to do so;
  • Article 378 onwards of the Penal Code criminalises offences in relation to the interception or disclosure of correspondence or telephone conversations without previous consent; and
  • Part 2 of the DIFC Data Protection Law on general regulations on the processing of personal data.

2.2. For which purposes may an employer carry out this type of monitoring?

Many businesses are required, by nature, to monitor telephone conversations as a way to manage risk or record customers’ instructions, such as banks, telecommunication service providers, trading houses, insurance and brokerage companies.

Other companies that are not required by nature to monitor telephone conversations may decide to do so for training purposes and/or to ensure the quality of the services provided by employees.

2.3. Is prior notification/approval with the data protection authority required?

For the time being, there is no data protection authority or similar governmental body established at a federal level in the UAE.

As for the DIFC, Article 19 of the DIFC Data Protection Law stipulates that the data controller must notify the Commissioner of Data Protection of any data processing activities and when:

  • sensitive personal data (defined as personal data that reveals or concerns, directly or indirectly, racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal records, trade-union membership, and health or sex life) is being processed; and
  • personal data is being transferred outside of the DIFC.

The ADGM applies a similar set of restrictions in relation to any person in the ADGM (excluding individuals acting in their capacity as staff members) who, alone or jointly with others, determines the purposes and means of the processing of personal data. Any data controller is expected to register as such with the Registrar and notify the Registrar of its intention to become a data controller. Personal data collected by data controllers in the ADGM must be processed in line with the data processing principles issued as an annex to the ADGM Data Protection Regulations

2.4 Is prior notification/approval/consultation from works councils required?

There are no works’ councils established in the UAE.

2.5 Is consent required from employee? If so, how should consent be sought?

According to the Federal Laws, specifically the Cybercrimes Law, Telecommunications Law, and the Penal Code, it is not permissible to record phone conservations without the consent of the concerned parties.

The DIFC Data Protection Law
Articles 9 and 10 of the DIFC Data Protection Law state that personal data and sensitive personal data may only be processed if the written approval of the data subject is obtained. The DIFC Data Protection Law does not describe how the consent can be sought, but does mention that consent should be obtained in writing.

2.6 Is consent required from other party to the call? If so, how should consent be sought?

Although the Federal Laws do not explicitly mention whether the consent of the other party is required, we believe that the consent must also be obtained by all parties so that the conversation as a precautionary measure for employers to avoid punishments or penalties stipulated under the applicable Federal Laws.

The common method used to obtain the consent of all the parties would be to inform them in advance that the call may be monitored.

2.7 Is there a legal requirement for employers to have a written policy in place governing telephone monitoring? If not, is there a recommendation to have one?

The potentially applicable UAE Laws do not require that employers have written policies in place governing telephone monitoring. However, it is prudent and advisable that employers implement adequate and detailed policies that describe the purpose of monitoring and recording telephone conversations in the workplace.

2.8 Are there any exemptions to the legal requirements which govern this type of monitoring?

The Federal Laws do not foresee any exemptions to the legal requirement of consent given by the subject to be monitored.

2.9 What are the retention requirements applicable to data collected through telephone monitoring?

There are no retention requirements applicable to data collected through telephone according to UAE Laws unless the recordings are made to record instructions and are meant to replace a written agreement. In such a case, the retention regulations applicable to the original written agreement will apply instead.

3. CCTV

3.1 What are the rules for CCTV surveillance?

Under UAE Laws, the use of CCTV is still relatively unregulated, yet a person’s rights to privacy must be considered when installing CCTV. Article 378 of the UAE Penal Code stipulates that a person shall be punished by detention and fined if they prejudice the privacy of individual or family life by committing any of the following acts (pother than in events as permitted by law or with the consent of the victim):

  • to eavesdrop, record, or transmit by any device of any kind whatsoever conversations in a private place or by way of telephone or any other device; and
  • to take or transmit by any device of any kind whatsoever a photo of a person in a private place.

This means that signage should be displayed if CCTV is installed or that prior written consent be obtained from individuals who may be recorded by CCTV in a specific area, including the workplace.

Local Laws

Dubai Law No. 24 of 2008 and its amendments on ‘Regarding Security Service Providers and Users’ enumerates in its Article 16 the business activities that must satisfy certain security specifications including employing CCTV. These include hotels and short-stay residences, financial and monetary institutions, manufacture and sale of precious metals and stones, shooting ranges, military and hunting equipment stores, shopping and leisure centers, precious materials storage facilities, hazardous materials storage facilities, precious commodities stores/outlets, large department stores, petrol stations, internet services, storage services, and aircraft and balloon clubs.

3.2. For which purposes may an employer carry out this type of monitoring?

There are no specifications as to the purpose of carrying out monitoring through CCTV, yet companies are usually equipped with these devices when such is necessary for the organisation and maintenance of security, depending on the type of activity carried out by the company.

In the Emirate of Dubai, the Dubai Police imposes that companies carrying out certain business activities to install security equipment such as CCTV. Please refer to section 3.1.

3.3 Is prior notification/approval with the data protection authority required?

Please refer to section 2.3 above.

3.4. Is prior notification/approval/consultation from works councils required?

There are no works’ councils established in the UAE.

3.5 Is consent required from employee? If so, how should consent be sought?

In instances where CCTV is installed in the workplace, relying on implied consent of employees is not advisable and the prior written approval of the employee is recommended. This may be mentioned in the employment agreement and/or internal policies of the company.

3.6. Is there a legal requirement for employers to have a written policy in place governing CCTV surveillance? If not, is there a recommendation to have one?

There is no explicit legal requirement for employers to have a written policy under UAE Law. However, it is highly advisable that employers put in place internal policies to inform employees of the CCTV in the work premises which explicitly describe the location and purpose of the CCTV

3.7. Are there any exemptions?

The Federal Laws do not foresee any exemptions to the legal requirement of consent given by the subject to be monitored.8. What are the retention requirements applicable to data collected through CCTV surveillance?
Under Federal Laws, there is no retention requirements applicable to data collected through CCTV surveillance. However, recorded footage should not be used abusively by the employer and the CCTV must not be placed in private areas such as the toilets, prayer rooms, etc.

4. Email

4.1 What are the rules regarding monitoring of employees’ emails?

As a general rule, employers have the right to monitor and access the company’s property which include email servers, devices such as mobiles, laptops, or tablets provided that:

  • the employees are made aware of this right; and
  • the purpose of accessing and monitoring the emails (or other devices) is strictly related to work and not to private and family matters.

The potentially applicable legislations that regulate the extent to which an employer may monitor and have access to an employee’s work email and other devices are as follows:

  • Article 31 of the UAE Constitution states that an individual enjoys ‘freedom of communication by post, telegraph or other means of communications and the secrecy thereof shall be guaranteed in accordance with the law’;
  • Article 15 of The Cybercrime Law which punishes the capture and interception of any communication intentionally and without permission through an information network;
  • Article 72 of the Telecommunications Law penalises copying or disclosing the content of any sort of communication without the right to do so;
  • Article 378 onwards of the Penal Code criminalises offences in relation to the interception or disclosure of correspondence or telephone conversations without previous consent; and
  • Part 2 of the DIFC Data Protection Law on general regulations on the processing of personal data.

4.2. For which purposes may an employer carry out this type of monitoring?

Employers have the right to monitor a company’s property for purposes related to work such as monitoring, training, and ensuring quality services.

4.3. Is prior notification/approval with the data protection authority required?

Please refer to section 2.3. above.4.4. Is notification/approval/consultation with works council required?

There are no works’ councils established in the UAE.

4.5 Is consent required from employee? If so, how should consent be sought?

THe fact that the email server belongs to the company’s assets implies that the company will have full access to the server. Nevertheless, it is advisable that the employers inform their employees of the company’s rights to access and make use of the emails exchanged and contained in work emails. This approval is usually sought through either the internal policies of the company that are signed by employees, or in the form of a provision contained in the employment agreement.

4.6 Is there a legal requirement for employers to have a written policy in place governing email monitoring? If not, is there a recommendation to have one?

There is no legal requirement in UAE laws for employers to have a written policy. However, employers should have a written policy to make employees aware that they are being monitored, which is usually described in the employment agreement (under clause ‘company’s property’), employees’ handbook, or other forms of internal policies that are usually handed over to employees upon joining the company or during their employment.

4.7 Are there any exemptions to the legal requirements which govern this type of monitoring?

Please refer to section 2.7 above.

4.8 What are the retention requirements

Under UAE Federal Laws, there is no retention requirements applicable to data collected through email monitoring.

5. Biometrics

5.1 What are the rules regarding biometric monitoring?

The Federal Laws do not regulate biometric monitoring.

5.2 For which purposes may an employer carry out this type of monitoring?

Federal Laws do not regulate biometric monitoring, therefore, they do not provide rules regarding the purposes for which an employer to carry out biometric monitoring.

5.3 Is prior notification/approval with the data protection authority required?

Please refer to section 2.3 above.

5.4 Is notification/approval/consultation with works council required?

There are no works councils established in the UAE.

5.5 Is consent required from the employee? If so, how should consent be sought?

There are currently no regulations governing employee’s biometric data under Federal Laws.

5.6 Is there a legal requirement for employers to have a written policy in place governing biometric monitoring? If not, is there a recommendation to have one?

UAE Federal Laws do not provide stipulations for biometric monitoring, and there are no requirements of written policies regarding this type of monitoring. However, if it is recommended that employees are made aware of the collection of their personal data and the purposes of biometric monitoring through the issuance of internal company policies.

5.7 Are there any exemptions to the legal requirements which govern this type of monitoring?

UAE Federal Laws do not contemplate biometric monitoring and, as such, do not foresee any exemptions.

5.8 What are the retention requirements applicable to data collected for biometric monitoring?

There are no laws regarding retention of employees’ biometric data under UAE Federal Laws.

6. Device Monitoring

6.1 What are the rules regarding company owns device monitoring?

Please refer to section 4.1 above.

6.2 For which purposes may an employer carry out this type of monitoring?

Please refer to section 4.2 above.

6.3 Is prior notification/approval with the data protection authority required?

Please refer to section 2.3 above.

6.4 Is notification/approval/consultation with works council required?

There are no works’ councils established in the UAE.

6.5 Is consent required from the employee? If so, how should consent be required?

Please refer to section 4.5 above.

6.6 Is there a legal requirement for employers to have a written policy in place governing company owned device monitoring? If not, is there a recommendation to have one?

Please refer to section 4.6 above.

6.7 Are there any exemptions to the legal requirements which govern this type of monitoring?

Please refer to section 4.7 above.

6.8 What are the retention requirements applicable to data collected from the company owned devices?

Please refer to section 4.8 above.

7. Court Surveillance

There are no instances under UAE Federal Laws in which an employer may carry out covert surveillance.

8. Employees’ Access Rights

Federal Laws

Under the UAE Labour Law, employers must keep certain records of each employee, including personal information such as names, addresses, phone numbers, salaries, or positions. However, the Labour Law has no provisions addressing as to whether or not the employee has the right to access such records.

The DIFC Data Protection Law

Article 17 of the DIFC Data Protection Law states that a data subject as the right to obtain from the data controller upon their request a confirmation in writing as to whether or not personal data relating to the employee is being processed and information, at least, as to the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data are disclosed.

9. Penalties

The penalties for non-compliance are as follows:

Article 380 of the Penal Code states that whoever opens a letter or cable without consent of the person to whom it is sent or overhears a telephone call shall be punished by a fine not less than AED 3,000 (approximately €740). A culprit shall be punished by detention for a period of at least three months or by a fine of at least AED 5,000 (approximately €1,240) if he/she divulges the contents of said letter, cable, or telephone call to a person other than that to whom it is addressed, and without his/her consent, where such an act causes damage to others.

Article 15 of the Cybercrimes Law states that any person who captures or intercepts any communication through any information network, intentionally and without permission, will be punished by imprisonment and a fine not les than AED 150,000 (approximately €37,140) and not exceeding AED 5,000 (approximately €123,800) or by any of these punishments. Any person who disclosed the information obtained unlawfuly by recieving or interception of communications will be punished by imprisonment for a period of not less than one year.

Article 21 of the Cybercrimes Law stipulates that a person who used an information network, electronic information system, or any of the information technology tools, to violate the privacy of a person, in cases other than those permitted in the Cybercrime Law, will be punished by imprisonment for a period not less than six months and a fine not less than AED 150,000 (approximately €37,140) and not more than AED 500,000 (approximately €123,800) or by any of these punishments. Such violations may occur using any of the following methods:

  • overhearing, interception, recording, transferring, transmitting, or disclosure of conversations, communications, or audio or visual materials;
  • capturing pictures of a third party or preparing electronic pictures or transferring, exposing, copying, or keeping those pictures; or
  • publishing electronic news or pictures or photographs, scenes, comments, statements, or information even if they were correct and real.

Article 22 of the Cybercrimes Law states that any person who used, without permission, any information network, electronic site, or information technology tool to expose confidential information obtained by occasion or because of his/her work, shall be punished by imprisonment for a period not less than six months and a fine not less than AED 50,000 (approximately €123,800) and not exceeding AED 1,000 (approximately €246,700), or by any of these punishments.

Article 72 of the Telecommunications Law penalises, with imprisonment of not more than one year and a fine of not les than AED 50,000 (approximately €12,340) and not more than AED 1,000,000 (approximately €246,700) or either of these penalties, persons who:

  • use telecommunications apparatus in an offensive or disruptive manner, or as a nuisance towards others, or for any unlawful purpose; or
  • copies or discloses, without right to do so, the content of any communication, telephone message or any of the telecommunications services, whether or not working under any licensee or related to a licensee by any relationship enabling that person to reveal the contents of communication or telephone message or any of the telecommunications services.

The DIFC Data Protection Law imposes pecuniary fines for general contraventions such as the misuse of personal information, specifically under Schedule 2 which specifies fines. The principal fine is of $10,000 (approximately €9,040) for processing sensitive personal data wiothout prior approval of the data subject (Article 36 of the DIFC Data Protection Law).

Originally published by Data Guidance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More