UAE’s Data Protection Law 2020 & PDPL

The Dubai International Financial Center (DIFC) issued the Data Protection Law 2020, which went into effect July 1, 2020. The law was made and enforced by ‘The Ruler’ and is governed by the Data Protection Law, DIFC Law No. 5 of 2020 and the Data Protection Regulations. This law is designed to create a standard for data protection and free movement of data.

In September 2021, the United Arab Emirates (UAE) drafted new laws and legislative amendments as well as the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (PDPL), which went into effect January 2022. The amendments develop legislative structure in various sectors, as well as laws related to society and personal security, including the Online Security Law. The PDPL draws similarities from various international data protection laws, especially the European Union’s GDPR.

Scope

img1

The processing of personal data of people residing in the UAE, or people having a business within the UAE

img2

Each Controller or Processor inside the UAE, irrespective of whether the personal data they process is of individuals inside or outside the UAE

img3

Each Controller or Processor located outside the UAE, who carries out processing activities of data subjects that are inside the UAE

Exceptions

  • DotThe free zones in the UAE
  • DotPublic entities with their own data protection legislation
  • DotHealth and public data governed by existing sectorial legislation

Key Definitions

Personal Data

Personal Data

Personal data is defined as any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as name, voice, picture, identification number, electronic, identifier, geographical location, or one or more physical, physiological, cultural or social characteristics.

Sensitive Personal Data

Sensitive Personal Data

Sensitive information is defined as any information that directly or indirectly reveals a person’s race, ethnicity, political and religious views, criminal record, biometric data, health data and sexual state.

Key Principles of PDPL

img6

The provisions of the law apply to the processing of personal data, whether in full or part through electronic systems, inside or outside the country.

img7

The law defines the controls for the processing of personal data and the general obligations of companies with personal data to secure it and maintain its confidentiality and privacy. It prohibits the processing of personal data without the consent of its owner, except for some cases in which the processing is necessary to protect a public interest or carry out any legal procedures and rights.

img8

PDPL provides the necessary conditions for obtaining valid consent from the data subjects for the processing of his/her personal information.

img9

The law gives the owner of the data the right to request corrections of inaccurate personal data, as well as restrict or stop the processing of his/her personal data.

img10

PDPL sets the requirements for cross-border transfer and sharing of personal data for processing purposes.

img11

Before processing a data subject’s personal data, a controller must provide the data subject with the purposes for the personal data processing, any third parties that the personal data will be shared with and the protection measures put in place to cover any cross-border data transfers.

img12

PDPL demands the data controller and processor implement appropriate technical and organizational measures and actions to ensure a high information security level appropriate to the risks associated with the processing according to the best international standards and practices.

img13

Data controllers and data processors are both separately required to keep records concerning the personal data they process. The content requirements for such records are primarily aligned with the equivalent requirements under the GDPR but with some additional points.

img14

The data controller shall immediately notify the Office and data subjects of any Personal Data Breach relating to a data subject which might result in a risk to privacy, confidentiality, and security of his/her data within a period specified in the Executive Regulations.

Personal data can only be processed with the consent of the data subject except in certain lawful circumstances, including:

  • Dot When necessary to fulfill a contractual obligation or public service
  • Dot When the data subject has made the data public
  • Dot When necessary to protect the interest of the data subject
  • Dot When necessary for judicial and security procedures
  • Dot When necessary for medical purposes or matters of public health
  • Dot When necessary for archival purposes
  • Dot When necessary for the data controller's compliance with legal obligations
  • Dot Any other circumstances specified by the Executive Regulations issued under the PDPL
Key Principles of PDPL

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

See Loyalty in Action

Be inspired with endless ways to make every customer interaction rewarding.

GET A DEMO

We Can Help

Let's explore how loyalty can help you become one of your customers' most beloved brands.

CONTACT US

©2021 All Rights Reserved. AnnexCloud