The United Arab Emirates (UAE) has published its first Federal Data Protection Law No. 45 of 2021, which came into effect on 2 January 2022.
This alert provides an overview of the law which will be supplemented by the expected executive regulations (Executive Regulations), as well as key aspects in comparison with other data protection frameworks such as the EU General Data Protection Regulation (GDPR).
The law applies to the processing of personal data of data subjects residing in the UAE or having a workplace in the UAE; controllers or processors established in the UAE that carry out the activities of processing personal data for data subjects in the UAE or abroad; and controllers or processors established outside of the UAE that carry out the activities of processing personal data for data subjects in the UAE.
The law states that the personal data must be collected for a specific and clear purpose and may not be processed later in a manner incompatible with that specific original purpose.
Additionally, personal data must be limited to what is necessary in accordance with the purpose for which the processing is carried out, must be stored securely, and be protected against unauthorised or unlawful processing using appropriate technical or organisational measures to be specified.
The controller and processor must appoint a Data Protection Officer who has relevant and sufficient skills and knowledge. The Data Protection Officer may be employed or appointed by the Controller or Processor and is not required to be on a UAE resident.
The controller must inform the Emirates Data Office as soon as it becomes aware of any breach of personal data that would undermine the privacy, confidentiality, and security of a data subject. The notification must detail any preliminary investigation results as well as a statement on the nature, cause and extent of the breach. The notification must also include information on the Data Protection Officer, possible and expected effects of the breach, the procedures and measures already taken by the Controller and any additional proposed measures to counter the breach and mitigate its effects.
Personal data may be transferred outside the UAE to jurisdictions that have legislation for the protection of personal data, including provisions relating to the conditions and rules for protecting the privacy and confidentiality of a data subject’s personal data, a data subject’s ability to exercise their rights, and provisions relating to imposing appropriate measures on the controller or processor through a supervisory or judicial authority.
A transfer of personal data outside of the UAE is also permitted where it is required in order to carry out obligations, establish rights before judicial authorities, defend claims, perform a contract between a data subject and a controller or between a controller and a third party to achieve the data subject’s interest.
Comments