Privacy Law at United Arab Emirates
The UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) establishes a comprehensive legal framework for data protection in the United Arab Emirates. Effective from January 2, 2022, with enforcement beginning in September 2022, the law aims to safeguard personal data and align with international standards such as the EU's GDPR.
📌 Key Provisions of the PDPL
1. Scope and Applicability
Territorial Reach The PDPL applies to all entities processing personal data within the UAE, as well as those outside the UAE processing data of individuals located in the UAE
Exemptions:The law does not apply to government data, personal data held by security or judicial authorities, or data processed for personal purposes. Additionally, entities in UAE free zones with their own data protection laws, such as the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM), are exempt
2. Data Subject RightsIndividuals are granted several rights under the PDPL, including
Right to Access:Obtain information about the processing of their personal data
Right to Rectification:Request corrections to inaccurate personal dat
Right to Erasure:Request deletion of personal data
Right to Portability:Receive personal data in a structured, machine-readable format
Right to Restrict Processing:Limit the processing of personal data under certain conditions
Right to Object:Object to processing for direct marketing or scientific research purpose
Right to Object to Automated Processing:Reject decisions based solely on automated processing
3. Lawful Basis for Processing Personal data processing is permitted under the PDPL when
Consent:Obtained from the data subject through a clear affirmative action
Contractual Necessity:Required to fulfill a contract with the data subject
Legal Obligation:Necessary to comply with legal requirements
Public Interest:Required for public interest or to protect public health
Employment:Necessary for employment-related obligations
4. Data Controllers and Processors Obligations Entities acting as data controllers or processors must
Implement Security Measures:Ensure confidentiality, integrity, and security of personal data
Maintain Records:Document processing activities and data transfers
Appoint Data Protection Officer (DPO):Designate a DPO in certain circumstances, such as high-risk processing activities
Conduct Impact Assessments:Assess risks associated with data processing activities citeturn0search3
5. International Data Transfers Transfers of personal data outside the UAE are permitted whe
Adequacy Decision:The recipient country has an adequate level of data protection
Contractual Safeguards:Appropriate safeguards are in place, such as Standard Contractual Clauses
Consent:Explicit consent is obtained from the data subject
Contractual Necessity:Transfer is necessary for the performance of a contract with the data subject
6. Data Breach Notification in the event of a data breach, organizations must
Notify the Data Office:Report the breach to the UAE Data Office
Inform Data Subjects:Notify affected individuals without undue delay
Mitigate Risks:Take steps to address the breach and prevent further incidents
🏛️ Enforcement and Oversigh
The UAE Data Office, established under a separate federal decree, serves as the central authority responsible for enforcing the PDP. It oversees compliance, handles complaints, and has the authority to impose penalties for non-complianc.
📌 Summary
The UAE's Personal Data Protection Law represents a significant step toward enhancing data privacy and protectin It establishes clear obligations for organizations and grants individuals robust rights over their personal daa Entities operating in the UAE or processing data of UAE residents should review their data practices to ensure compliance with the PDL.
RELATED Blog
0 comments