Alsuwaidi & Company
What law(s) specifically govern personal data / information?
In the United Arab Emirates, the collection and processing of personal data is governed by Federal Decree-Law No. 45/2021 on the Protection of Personal Data (“PDPL”). This law was enacted in the spirit of aligning personal data protection in the UAE with international practices.
The PDPL operates alongside but does not replace the Dubai International Financial Centre (DIFC) Law No. 5 of 2020 on Data Protection and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021, both of which are free zones which have enacted their own data protection laws. The laws and regulations are, however, only applicable to entities that are registered and located within the stated free zones.
The PDPL also operates alongside the Federal Law No. 2 of 2019 on the Use of Information and Communications Technology (ICT) in Healthcare and Consumer Protection Regulation (Circular No. 8/2020) (CPR) which was issued by the Central Bank of the UAE on 31 December 2020. These laws tackle the use of ICT in the healthcare sector and the governance of consumer data requirements for licensed financial institutions regulated by the Central Bank respectively.
In addition, it should be noted that the Consumer’s Protection Law (Federal Law no. 15 of 2020) is also of relevance when it comes to the protection of consumer data and the prohibition of suppliers from using the same for marketing purposes.
Further, Cabinet Decision No. 83 of 2022, which sets out the Executive Regulations of the PDPL, provides more detailed guidance on key compliance requirements, including data subject rights, cross-border data transfers, and data breach notifications.
What are the key data protection principles in this jurisdiction?:
The key principles in the PDPL are consistent with those adopted by global data protection law such as the European Union’s General Data Protection Regulation (GDPR). These principles include, but are not limited to:
- Processing must occur in a fair, transparent and lawful manner;
- Personal data should be collected for a specific and clear purpose;
- Only necessary data should be processed based on the specific purpose or for purposes similar, or close to the specific purpose;
- Personal Data should be kept accurately and up to date;
- Appropriate measures and procedures must be in place to ensure erasure or correction of incorrect Personal Data;
- Personal Data must be kept securely and protected from any breach, infringement, or illegal or unauthorised processing; and
- Personal Data may not be kept after fulfilling the purpose of processing unless the identity of the data subject is anonymised.
The PDPL also imposes accountability obligations on data controllers and processors, requiring them to adopt appropriate technical and organisational measures to ensure and demonstrate compliance with these principles.
What is the supervisory authority / regulator in charge of data protection?
The UAE Data Office is the national body overseeing data regulations. This body was established under the UAE Federal Decree-Law No. 44 of 2021.
The UAE Data Office, which operates under the auspices of the UAE Cabinet-affiliated office is mandated to:
- Developing data protection policies and laws
- Proposing and approving standards for monitoring data protection
- Setting up systems for handling data-related complaints, grievances and breaches
- Issuing guidelines and instructions for law implementation
In addition to the UAE Data Office, free zone entities are subject to the oversight of their respective regulators:
- In the DIFC, the Commissioner of Data Protection is responsible for the supervision and enforcement of the DIFC Data Protection Law
- In ADGM, the ADGM Office of Data Protection acts as the competent supervisory authority under the ADGM Data Protection Regulations 2021.
Is there a requirement to register with a supervisory authority / regulator?
No, the PDPL does not impose any initial filing or registration requirements with the UAE Data Office. However, the data controllers and processors are obliged to maintain a detailed internal register of their personal data processing activities and make such a register available to the Data Office on its request.
For the DIFC, the controllers and processors are required to submit a notification to the Commissioner via the DIFC’s online portal as per the law and to keep the notification up to date. The notification must contain the information including a general description of the personal data processing being carried out, the purpose of the processing, the data subjects or the class thereof whose personal data is being processed, the class of the personal data being processed, a statement of jurisdiction(s) to which personal data will be transferred by the controller, and an explanation as to whether the said jurisdiction possesses adequate level of protection for the purposes of the law. It should be noted that where an organisation is required to appoint a Data Protection Officer (DPO), the DPO is required to submit an “Annual Assessment” in the form given by the Commissioner.
As for ADGM, most of the required information would have been provided to the Commissioner of Data Protection during the company incorporation and registration process. A registered entity is permitted to start processing personal data upon the incorporation date.
However, it should be noted that Article 24 of the ADGM Data Protection Regulations 2021 mandates the controllers to pay a data protection fee (renewal fee payable annually) to the Commissioner of Data Protection before, or as soon as reasonably practicable after the commencement of processing personal data by the controllers. The controllers and processors are similarly required to maintain a record of processing activities by virtue of Article 28 of the ADGM Data Protection Regulations 2021. The said record must be made available to the Commissioner of Data Protection upon request.
Is there a requirement to notify the supervisory authority / regulator?
Yes, Article 9 of the PDPL mandates that the Controller must quickly report to the Data Office on becoming of aware of any personal data breach that would “prejudice the privacy, confidentiality, any infringement or breach and the results of the investigation to the Date Office within such period and in accordance with such procedures and conditions as set by the Executive Regulations. However, the said Regulations have yet to be published as of the date of writing this update. Similarly, for DIFC, in the event there is a personal data breach which compromises the confidentiality, security or privacy of the personal data of the data subjects, the controller is required to notify the said breach to the Commissioner as soon as practicable in the circumstances.
Pursuant to Article 32(1) of the ADGM Data Protection Regulations 2021, the Data Controller must inform the Commissioner of Data Protection upon becoming aware of a personal data breach without undue delay, and where feasible, not later than 72 hours after becoming aware of it.
Is it possible to register with / notify the supervisory authority / regulator online?
As of the date of writing this update the Data Office which is responsible for administering and enforcing the PDPL has not yet been established. Accordingly, there is currently no available online portal for registration or notification under the PDPL framework.
In the DIFC, a personal data breach is reportable to the DIFC Commissioner of Data Protection by filing the Breach Reporting Form on the DIFC website which will be submitted to the DIFC Portal for notification to the Commissioner through case management.
In the ADGM, reporting data breaches to the Office of Data Protection can be done via the ADGM’s Online Registry Solution.
What are the key data subject rights under the data protection laws of this jurisdiction?
The key data subject rights under the PDPL are as follows:
- Article 13 – Right to Obtain Information
- Article 14 – Right to Request Personal Data Transfer
- Article 15 – Right to Correction or Erasure of Personal Data
- Article 16 – Right to Restrict Processing
- Article 17 – Right to Stop Processing
- Article 18 – Right to Processing and Automated Processing
As with the PDPL, the Data Protection Laws in the DIFC and ADGM are consistent with the international practices and hence, the data subject rights afforded under these laws are largely the same.
Is there a requirement to appoint a data protection officer (or equivalent)?
By virtue of Article 10 of the PDPL, the Controller and Processor must designate a Data Protection Officer (DPO) if their data processing presents significant risks to personal data privacy as a consequence of adopting new or data size-based technologies, involves large-scale sensitive data, or includes systematic profiling or automated processing. The DPO can be based inside or outside the UAE, and their contact details must be shared with the Data Office.
In the DIFC, DPOs are mandatory for DIFC Bodies, other than courts acting in their judicial capacity, and a controller or processor performing high risk processing activities on a systematic or regular basis.
The ADGM Data Protection Regulations 2021 require that a controller or a processer must appoint a DPO where the processing is carried out by a public authority, if the core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or the core activities consist of processing personal data of special categories on a large-scale basis.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
As per Article 21 of the PDPL, the Controller is required to assess the impact of data processing on personal data protection before initiating any high-risk processing activities, particularly when using new technologies. This evaluation is necessary for systematic profiling, where processing involves a large volume of sensitive data, or other high-risk scenarios, and should cover the explanation of the proposed processing operations on the protection of personal data and the purpose of processing them, necessity, risks, and measures to address potential issues.
Article 20(1) of the DIFC Law No. 5 of 2020 requires controllers to conduct Data Protection Impact Assessment before High Risk Processing Activities as defined under the Act. These would, at a high level, include processing operations that underscore evaluation or scoring, including profiling, automated decision-making, sensitive data, data processed on a large scale, innovative use or applying new technological or organisational solutions which creates a materially increased risk to the security or rights of a data subject or renders it more difficult for a data subject to exercise his rights. It should be noted that the Commissioner’s Office has produced a DP Assessment Tool, which can be accessed here: https://www.surveygizmo.com/s3/5795100/DP-Assessment-Tool-High-Risk-Processing-Activities
Similarly, under the ADGM Data Protection Regulations 2021 a controller must carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to commencing the processing that is likely to result in a high risk to the rights of natural persons.
Does this jurisdiction have any specific data breach notification requirements?
Yes, Article 9 of the PDPL sets out the details to be included in the notification, including any reporting period. These include detailed information about the breach and potential consequences, a description of any mitigations and corrective steps undertaken to address and remedy the breach and its effects and the name of the DPO, if any. The notification must be submitted in accordance with the procedures and timelines set out in the Executive Regulations, which remain pending as of the date of this update.
Additionally, the Processor must inform the controller immediately of any breaches, allowing the controller to make the required report to the Data Office. Upon receiving the report from the controller, the Data Office shall investigate accordingly and may impose administrative penalties stated in Article 26 of the PDPL for regulatory violations.
For the DIFC, a breach notification must include, at a minimum, the information similar to those mentioned for PDPL, including the following:
- description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate amount of personal data records concerned;
- the name and contact details of the DPO or other contact point where more information can be obtained;
- a description of the likely consequences of the Personal Data breach; and
- describe the measures taken or proposed to be taken by the Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Similarly, the processors must notify controllers without undue delay after becoming aware of personal data breach. Further, a controller must send a notification to a data subject as soon as practicable where a personal data breach would likely impede the security or rights of a data subject. Should an immediate risk of damage presents itself to the data subject, the controller must promptly communicate with the affected data subject.
Under Article 32 of ADGM’s Data Protection Regulations 2021, Data Controllers must notify the Office of Data Protection of personal data breaches without undue delay and, where feasible, not later than 72 hours after becoming aware of them. The notification prompts the controller to provide details related to the incident through a questionnaire, amongst others, recounting the facts of the incident and to provide the measures in place for any prevention, details of policies and procedures in place that are relevant to the incident, including its implementation date etc. The submission of the said notification is fully online and the controller is guided to provide as much details as possible during the process of answering the questionnaire.
What restrictions apply to the international transfer of personal data / information?
Article 22 of the PDPL permits the transfer of personal data to countries with robust data protection laws in place or where the specific country has acceded to bilateral or multilateral agreements relating to the protection of personal data. The Executive Regulations (Cabinet Decision No. 83 of 2022) further outline the mechanisms that may be used to lawfully transfer data, including the use of contractual clauses, adequacy lists issued by the UAE Data Office, and other safeguards.
On the other hand, Article 23 of the PDPL allows personal data to be transferred to countries lacking adequate data protection if the transfer is necessary for the conclusion or implementation of a contract between the controller and the individual, or between the controller and third parties to further the individual’s interest, consent from the data subject, if the transfer is necessary for international judicial cooperation or if the transfer is necessary to protect the public interest, with detailed requirements to be set by the Executive Regulations.
In the DIFC, personal data may be transferred out of the DIFC to a country or jurisdiction that has been determined to have adequate protections, which are listed in the DIFC Commissioner for Data Protection website, or if it takes place on the conditions that the controller or processor have provided appropriate safeguards and that that enforceable Data Subject rights and effective legal remedies for Data Subjects are available, the specific derogations in Article 27(4) of the DIFC Data Protection Law applies or the limited circumstances in Article 27(4) apply.
For the ADGM, the ADGM’s Data Protection Regulations 2021 limits the transfer of Personal Data outside the ADGM, whether to a different jurisdiction or to an international organisation. The term "transfer" is broadly defined to include not just sending data but also making it accessible to individuals or organisations in other jurisdictions. This encompasses transfers to recipients based within the onshore UAE. There are, however, exceptions to which personal data can be legitimately transferred outside of the ADGM. These, include transfer on the basis of an adequacy decision, with the list of adequate jurisdictions published on the ADGM website. In addition, personal data can be transferred outside of ADGM where the transfer is done on the basis of appropriate safeguards without the need for Commissioner approval for the transfer. Transfers may also be carried out based on standard contractual clauses or binding corporate rules, provided they meet the requirements set out by the ADGM Office of Data Protection.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The PDPL applies to the processing of personal data in these cases:
- If the data subject lives or has a business in the UAE.
- If the data controller or processor is based in the UAE, regardless of where the data processing takes place.
- If the data controller or processor is outside the UAE but processes the personal data of individuals within the UAE.
Essentially, the PDPL applies to data processing involving UAE residents or businesses. Data subjects processing data for personal purposes may be exempt from some of these rules, which can seem unusual given that the law is focused on the processing activities of UAE-based entities.
Article 2 of the PDPL provides that the Decree Law governs personal data processing by anyone within the State or by entities outside the State handling data of individuals within the State. Exceptions include government data, certain government authorities and organizations/entities with their own data protection laws (such as DIFC), personal data managed by security and judicial authorities, personal data processed for personal reasons, and data covered by specific legislation like health or banking data.
The DIFC and ADGM Data Protection Laws similarly have extra-territorial effect. The DIFC Data Protection Law is applicable to a controller or processor regardless of its place of incorporation that processes personal data in the DIFC as part of stable arrangements while the ADGM’s Data Protection Regulations 2021 are applicable when a processor is processing personal data for a controller outside the ADGM. In this regard, the processor is required to comply with the ADGM Regulations to the extent possible, taking into account whether the controller is subject to similar obligations under its home jurisdiction.
What rules specifically deal with marketing?
Article 17 of the PDPL allows data subjects to refuse or request the cessation of processing of their personal data in cases involving direct marketing, statistical surveys (unless needed for public interest), or if the processing breaches specific legal requirements. Controllers must respect such objections and cease processing unless an overriding legal justification applies.
The DIFC Data Protection Law on the other hand requires controllers to provide data subjects with information for which they process their personal data, including whether the personal data will be used for direct marketing purposes. While consent is not explicitly mandated, data subjects must be informed prior to the initial disclosure of their Personal Data to third parties or its use for direct marketing purposes. They must also be given the explicit right to object to such disclosures or uses. Additionally, if Personal Data is processed for direct marketing, data subjects may object at any time to this processing, including any related profiling.
As regard ADGM, Part 2 of the Commissioner’s Guidance states that consent is not always required for direct marketing and that legitimate interests can often be used as the legal basis for processing. When using legitimate interests, individuals must be able to object both at data collection and in each communication (e.g., via an "unsubscribe" link). A pre-ticked box may be sufficient for the objection right at data collection.
It is important to evaluate whether marketing interests outweigh data subjects' rights and interests, particularly in the case of sensitive topics or vulnerable groups. In such cases, obtaining explicit consent may be more suitable. Controllers must also maintain transparency by clearly outlining their marketing practices in privacy notices.
Do different rules apply to business-to-business and business-to-consumer marketing?
There is no express distinction in rules applicable to business-to-business (B2B) and business-to-consumer (B2C) marketing. The general data protection principles and rights of data subjects apply uniformly, regardless of whether the recipient is a business contact or an individual consumer.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The rules that deal with electronic marketing are the same as those outlined above in relation to direct marketing under the PDPL, DIFC, and ADGM frameworks. These include the right of individuals to object to marketing communications, the obligation to provide notice, and where applicable, the use of consent or legitimate interest as a legal basis.
However, the Telecommunications and Digital Government Regulatory Authority (TDRA) has issued a "Regulatory Policy for Spam Electronic Communications" (the “Policy”). This Policy mandates that TDRA licensees implement all feasible technical and organisational measures to reduce the transmission of spam communications across UAE telecommunications networks. Additionally, the Policy prohibits licensees from selling, supplying, using, or knowingly allowing access to any tools, software, hardware, or mechanisms that aid in the collection and creation of electronic addresses.
What rules specifically deal with cookies?
The PDPL mandates that organisations must secure consent prior to gathering, utilising, or distributing personal data. It also requires the implementation of suitable security protocols and measures to safeguard and protect such data. While the law does not explicitly refer to "cookies", the use of cookies that involve the collection of identifiable personal data (e.g. IP addresses, device IDs, user behavior) would fall under the PDPL’s broader consent and transparency requirements. Data subjects are also granted the "right to stop processing" their personal data when it is used for direct marketing, including any related profiling.
Under DIFC Data Protection Law, a data subject must be informed before their personal data is first disclosed to third parties or used for direct marketing. They must also be explicitly offered the right to object to direct marketing, including any related profiling. While there is no express mention of cookies, similar principles apply where cookies track user behaviour or collect identifiable data.
The ADGM Data Protection Regulations 2021 mirror these provisions and additionally state that if a data subject objects to direct marketing, their data must no longer be used for such purposes. As with DIFC, cookies used for tracking or profiling would generally be subject to the same consent and objection rights.
There is currently no dedicated cookie regulation in the UAE akin to the EU’s ePrivacy Directive. However, where cookies collect personal data, they are subject to general data protection rules.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The PDPL does not detail specific penalties but states that the Cabinet will, upon the Office General Manager's proposal, issue a decision outlining the acts that breach the Decree Law and its Executive Regulations, along with the corresponding administrative penalties.
Under the DIFC, the Commissioner of Data Protection is empowered to issue directions to refrain from processing personal data specified in the direction, for a purpose or in a manner specified in the direction. Under DIFC, fines imposed can be up to USD 100,000 or more for serious violations.
Similarly, the Commissioner of Data Protection in ADGM has the power to impose a temporary or permanent limitation, including a ban, on the processing.
A court order is not mandatory in both DIFC and ADGM .
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Multinational organisations must consider several key factors when processing personal data from individuals within a jurisdiction, even if the organisation is not physically located there. Specifically, the Personal Data Protection Law (PDPL) applies to the processing of personal data regardless of whether the data processor is inside or outside the UAE in addition to the extra-territorial element of the DIFC and ADGM Data Protection Laws as discussed above. This means that these organisations must adhere to the Data Protection Laws as if they were located within the UAE or the relevant free zones, and this requirement should be carefully considered regardless of their physical location.
What upcoming data protection developments should multinational organisations be aware of?
Multinational organisations in the UAE should be keeping an eye out on the executive regulations pursuant to the PDPL that are to be announced, which shall shed light on the procedural aspects with respect to matters provided for in the PDPL.
In addition, companies should also stay updated on amendments or updates to the DIFC and ADGM Data Protection frameworks including any new guidance notes, enforcement precedents, or technological developments (such as AI, automated decision-making, or cross-border data flow guidance) issued by their respective Commissioners.