UAE Federal Data Protection Law
UAE’s Federal Data Protection Law finally came into effect on 2nd January 2022 and the companies will have 6 months from the date of executive regulations, to be issued by March 20th, 2022, to get compliant with the law. The law focuses mainly on data subject rights, data breach requirements, data protection impact assessments, data transfer requirements and notification and record-keeping requirements. UAE data office will be the regulatory authority and has the power to process all personal data by controllers and processors located in the UAE and outside the UAE and can exempt UAE companies that do not process large volumes of personal data. In a nutshell, the law clearly explains the usage of personal data and lays out measures for the controllers to process the same with the awareness of any possible data breach. The Data Protection office (DPO) appointment and their roles, the rights of the data subjects, administrative penalties in case of any breach, etc. are defined well in this law.
UAE Data Protection Law - The Key Highlights
What is the scope of Data Protection Law in UAE?
- Processing of personal data, by any means, by every data controller inside or from outside the UAE
- Law does not apply to the use of personal data for personal purposes by a data subject, government data, government authorities that control or process personal data, or personal data processed by the security and judicial authorities.
- Does not cover personal health data or personal banking and credit data. Does not apply to UAE free zones.
What are the Controller & Processor obligations?
Processors and controllers should take appropriate measures and also formulate procedures to be compliant with all local and international standards, to ensure an appropriate level of information security. The law includes a list of such measures to be tested and evaluated.
Controllers on becoming aware of any personal data breach should inform the data office of the breach and any investigation conducted into the breach. Must also notify the data subject of the breach. Processors must inform the controller of any breach. Controllers must appoint a DPO in certain circumstances Controllers must conduct DPIAs.
Processors must maintain a record of processing activities of the processing conducted on behalf of the controller, which must be made available to the UAE Data Office upon request. Controllers and processors must implement technical and organisational measures to maintain a high standard of data security appropriate to the level of risk. The record of all processing activities must be available for submission to the UAE data office on request.
What is the Data subject rights and Penalties in UAE?
There is a transition period of six months for the companies to achieve compliance from the date of publication. Every individual has the right to bar anyone to process their information processed without their consent, they are not even authorized to withdraw their consent at any time. Though the law doesn’t exactly specify the range of penalties, Fines can be imposed based on a proposal from the data office’s Director-General and the data subjects can file a complaint in case of a breach by either the processor or controller. There is a right to data portability for everyone as well.
How HLB HAMT can help ?
These days, Even the data protection noncompliance in smaller and less important offices of a company group may now lead to significant ramifications. The efforts for being compliant with the new data law requirements are generally high; not all requirements can reasonably be fulfilled at once.
The company will have to assess what kind of data processing activities are of the biggest risk to its business, rights of the data subjects as well as the risks that are likely to lead to high fines. We help companies allocate and plan their required resources and help in the implementation of a compliant data protection structure including conducting data protection impact assessments.
Latest insights, case studies and news from across the network
The Top Cybersecurity Predictions for 2022
The priorities of security and risk leaders are determined by a focus on privacy laws, ransomware attacks, cyber-physical systems, and board-level scrutiny.
Internal Audit and Emerging Technology: The future of IT Audit
Technology is both a blessing and a curse. During COVID lockdowns, many office workers have begun to work remotely, and businesses of all sizes have begun to market their products...
The UAE Cryptocurrency Laws
The United Arab Emirates is regarded as one of the world’s most forward-thinking crypto nations. The Dubai Financial Services Authority (DFSA) now accepts cryptocurrency payments,
Get in touch
Whatever your question our team will point you in the right directionStart the conversation