The Dubai International Financial Center (DIFC) issued the Data Protection Law 2020, which went into effect July 1, 2020. The law was made and enforced by ‘The Ruler’ and is governed by the Data Protection Law, DIFC Law No. 5 of 2020 and the Data Protection Regulations. This law is designed to create a standard for data protection and free movement of data.
In September 2021, the United Arab Emirates (UAE) drafted new laws and legislative amendments as well as the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (PDPL), which went into effect January 2022. The amendments develop legislative structure in various sectors, as well as laws related to society and personal security, including the Online Security Law. The PDPL draws similarities from various international data protection laws, especially the European Union’s GDPR.
The processing of personal data of people residing in the UAE, or people having a business within the UAE
Each Controller or Processor inside the UAE, irrespective of whether the personal data they process is of individuals inside or outside the UAE
Each Controller or Processor located outside the UAE, who carries out processing activities of data subjects that are inside the UAE
Personal data is defined as any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as name, voice, picture, identification number, electronic, identifier, geographical location, or one or more physical, physiological, cultural or social characteristics.
Sensitive information is defined as any information that directly or indirectly reveals a person’s race, ethnicity, political and religious views, criminal record, biometric data, health data and sexual state.
The provisions of the law apply to the processing of personal data, whether in full or part through electronic systems, inside or outside the country.
The law defines the controls for the processing of personal data and the general obligations of companies with personal data to secure it and maintain its confidentiality and privacy. It prohibits the processing of personal data without the consent of its owner, except for some cases in which the processing is necessary to protect a public interest or carry out any legal procedures and rights.
PDPL provides the necessary conditions for obtaining valid consent from the data subjects for the processing of his/her personal information.
The law gives the owner of the data the right to request corrections of inaccurate personal data, as well as restrict or stop the processing of his/her personal data.
PDPL sets the requirements for cross-border transfer and sharing of personal data for processing purposes.
Before processing a data subject’s personal data, a controller must provide the data subject with the purposes for the personal data processing, any third parties that the personal data will be shared with and the protection measures put in place to cover any cross-border data transfers.
PDPL demands the data controller and processor implement appropriate technical and organizational measures and actions to ensure a high information security level appropriate to the risks associated with the processing according to the best international standards and practices.
Data controllers and data processors are both separately required to keep records concerning the personal data they process. The content requirements for such records are primarily aligned with the equivalent requirements under the GDPR but with some additional points.
The data controller shall immediately notify the Office and data subjects of any Personal Data Breach relating to a data subject which might result in a risk to privacy, confidentiality, and security of his/her data within a period specified in the Executive Regulations.
Personal data can only be processed with the consent of the data subject except in certain lawful circumstances, including: