UAE Federal Data Protection Law

UAE’s Federal Data Protection Law finally came into effect on 2nd January 2022 and the companies will have 6 months from the date of executive regulations, to be issued by March 20th, 2022, to get compliant with the law. The law focuses mainly on data subject rights, data breach requirements, data protection impact assessments, data transfer requirements and notification and record-keeping requirements. UAE data office will be the regulatory authority and has the power to process all personal data by controllers and processors located in the UAE and outside the UAE and can exempt UAE companies that do not process large volumes of personal data. In a nutshell, the law clearly explains the usage of personal data and lays out measures for the controllers to process the same with the awareness of any possible data breach. The Data Protection office (DPO) appointment and their roles, the rights of the data subjects, administrative penalties in case of any breach, etc. are defined well in this law.

Get Free Consultation

HLB HAMT - Accounting Firm in UAE

Phone:- +971 4 327 7775
Mobile:- +971 52 830 7998
WhatsApp:- +971 56 219 1607

    Schedule a Consultation

    UAE Data Protection Law - The Key Highlights

    What is the scope of Data Protection Law in UAE?

    • Processing of personal data, by any means, by every data controller inside or from outside the UAE
    • Law does not apply to the use of personal data for personal purposes by a data subject, government data, government authorities that control or process personal data, or personal data processed by the security and judicial authorities.
    • Does not cover personal health data or personal banking and credit data. Does not apply to UAE free zones.

    What are the Controller & Processor obligations?

    Processors and controllers should take appropriate measures and also formulate procedures to be compliant with all local and international standards, to ensure an appropriate level of information security. The law includes a list of such measures to be tested and evaluated.

    Controllers on becoming aware of any personal data breach should inform the data office of the breach and any investigation conducted into the breach. Must also notify the data subject of the breach. Processors must inform the controller of any breach. Controllers must appoint a DPO in certain circumstances Controllers must conduct DPIAs.

    Processors must maintain a record of processing activities of the processing conducted on behalf of the controller, which must be made available to the UAE Data Office upon request. Controllers and processors must implement technical and organisational measures to maintain a high standard of data security appropriate to the level of risk. The record of all processing activities must be available for submission to the UAE data office on request.

    What is the Data subject rights and Penalties in UAE?

    There is a transition period of six months for the companies to achieve compliance from the date of publication. Every individual has the right to bar anyone to process their information processed without their consent, they are not even authorized to withdraw their consent at any time. Though the law doesn’t exactly specify the range of penalties, Fines can be imposed based on a proposal from the data office’s Director-General and the data subjects can file a complaint in case of a breach by either the processor or controller. There is a right to data portability for everyone as well.

    How HLB HAMT can help ?

    Federal Data Protection Law

    These days, Even the data protection noncompliance in smaller and less important offices of a company group may now lead to significant ramifications. The efforts for being compliant with the new data law requirements are generally high; not all requirements can reasonably be fulfilled at once.

    The company will have to assess what kind of data processing activities are of the biggest risk to its business, rights of the data subjects as well as the risks that are likely to lead to high fines. We help companies allocate and plan their required resources and help in the implementation of a compliant data protection structure including conducting data protection impact assessments.

    Our Technology Consulting Services

    Get in touch

    Whatever your question our team will point you in the right direction

    Start the conversation
    Get in touch

    Share to:

    Copy link:

    Copied to clipboard Copy