UAE Federal Data Protection Law

UAE Data Protection Law - The Key Highlights

What is the scope of Data Protection Law in UAE?

• Processing of personal data, by any means, by every data controller inside or from outside the UAE
• Law does not apply to the use of personal data for personal purposes by a data subject, government data, government authorities that control or process personal data, or personal data processed by the security and judicial authorities.
• Does not cover personal health data or personal banking and credit data. Does not apply to UAE free zones.

What are the Controller & Processor obligations?

Processors and controllers should take appropriate measures and also formulate procedures to be compliant with all local and international standards, to ensure an appropriate level of information security. The law includes a list of such measures to be tested and evaluated.

Controllers on becoming aware of any personal data breach should inform the data office of the breach and any investigation conducted into the breach. Must also notify the data subject of the breach. Processors must inform the controller of any breach. Controllers must appoint a DPO in certain circumstances Controllers must conduct DPIAs.

Processors must maintain a record of processing activities of the processing conducted on behalf of the controller, which must be made available to the UAE Data Office upon request. Controllers and processors must implement technical and organisational measures to maintain a high standard of data security appropriate to the level of risk. The record of all processing activities must be available for submission to the UAE data office on request.

What is the Data subject rights and Penalties in UAE?

There is a transition period of six months for the companies to achieve compliance from the date of publication. Every individual has the right to bar anyone to process their information processed without their consent, they are not even authorized to withdraw their consent at any time. Though the law doesn’t exactly specify the range of penalties, Fines can be imposed based on a proposal from the data office’s Director-General and the data subjects can file a complaint in case of a breach by either the processor or controller. There is a right to data portability for everyone as well.

How HLB HAMT can help ?

These days, Even the data protection noncompliance in smaller and less important offices of a company group may now lead to significant ramifications. The efforts for being compliant with the new data law requirements are generally high; not all requirements can reasonably be fulfilled at once.

The company will have to assess what kind of data processing activities are of the biggest risk to its business, rights of the data subjects as well as the risks that are likely to lead to high fines. We help companies allocate and plan their required resources and help in the implementation of a compliant data protection structure including conducting data protection impact assessments.