On the 20th of September 2021, the United Arab Emirates issued Federal Decree No 45 of 2021 (“UAE Federal Data Protection Law” also referred to as “Law No.45 of 2021”). The law was published as part of UAE's 50th anniversary announcement. Law No.45 of 2021 is one of the numerous legal reforms published by the UAE Government. UAE now joins over 130+ jurisdictions with a comprehensive privacy law.
You may be wondering, does this law affect my company or business?
Do you have employees?
Do you have customers?
Do you have clients?
Do you collect or use personal data of individuals in the UAE?
If any of the above is yes, this law will affect your business.
The Law governs the Processing of Personal Data. Personal Data is any information than can identify an individual. This can be names, emirates I.Ds, passports, visas, email addresses and phone numbers. It can also be unique identifiers such as staff numbers, device I.Ds and biometrics. If you collect, store or use personal information, you must comply with this Law.
The Law has many similarities with other international data protection frameworks such as the EU General Data Protection Regulations 2016/679 ("EU GDPR"). There are also some differences which are highlighted below.
What is the UAE Federal Data Protection Law?
The UAE Federal Data Protection Law (Law No.45 of 2021) is the first comprehensive data protection law in the UAE. The key parts of the law are aligned with many international data protection frameworks including the EU GDPR. Prior to the enactment of Law No.45 of 2021, the UAE took a sectoral approach to data protection, with a Law governing healthcare privacy and central bank rules for the finance sector. The financial freezones of Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC) both have independent comprehensive data protection laws based on the European framework for their respective jurisdictions.
When does the UAE Federal Data Protection Law come into effect?
The law came into effect on the 2nd January 2022. It is current in force. However, there are gaps which will be addressed in the Executive Regulations. The UAE Cabinet has not yet enacted the Executive Regulations. We anticipate this will be published soon.
Who will regulate this law?
Federal Decree Law No 44 of 2021 establishes the UAE Data Office. This Office will act as the Federal Data Protection Authority. Their role and responsibilities will include handling complaints, managing breaches and imposing administrative and civil penalties for breaches of the Law. Until the appointment of the Director General (i.e. Commissioner), the Telecommunication, Digital and Regulatory Authority (TDRA) will be responsible for providing the UAE Data Office with administrative and regulatory support.
Who does the UAE Federal Data Protection Law apply to?
The definitions of the law are aligned with key international laws. Therefore, many organisations operating internationally would be used to the definitions such as ‘Data Controller’, ‘Data Processor’ and ‘Personal Data’. The ‘Controller’ is an entity that determines the purposes and means for processing personal data. In short, the company or entity that makes the decisions on collecting, storing and using personal data. A ‘Processor’ on the other hand is an entity that only uses personal data on the instruction of the Controller.
Personal data means any information that can identify a person.
Does the law apply to me?
The law applies to:
1. the processing of personal data of people residing in the UAE;
2. entities in the UAE (i.e. Controllers or Processors located in the UAE);
3. entities outside the UAE who carries out activities of individuals who are located in the UAE.
In other words, if your organization collects or uses personal information of individuals residing in the UAE then the law applies whether or not you are located in the UAE. For organisations in the UAE, the rights and protections under the law applies irrespective of where the individual is located. For example, a Kuwaiti whose personal data is processed by the UAE based organisation has rights under the Law.
What are the key features of the UAE Federal Data Protection Law?
- Appointment of Data Protection Officers
Firstly, under Article 10 of the UAE Federal Data Protection Law, certain organisations are required to appoint a Data Protection Officer (“DPO”). If your organisation’s processing could; (a) cause a high risk to the confidentiality of individuals through its use of new technologies, or (b) its processing involves systemic and comprehensive processing of sensitive personal data; or (c) the processing involves large volumes of sensitive personal data, you will need to appoint a DPO.
During the pandemic, many organisations may have been collecting sensitive personal data about employees, customer, clients and/or students in the case of schools. Therefore, you must consider carefully whether your organisation is considered to be processing 'large volumes.' If you are unsure, you should err on the side of caution and consider appointing a DPO to represent your organisation.
The Law states that the DPO must be skilled and have both professional qualities and expert knowledge of privacy laws. The role can be both in-house or provided through the use of a service contract. The DPO has specific tasks and obligations to both individuals, members of the public and to the Regulator. At DP3R, we have the experience, knowledge and expertise to represent you as your outsourced statutory DPO. We represent and support some of the key brands in the UAE and in the UK.
- Individual Rights
Individuals are given rights over their personal data.
The rights provided by the Law include:
Right to Access / Obtain Information (Article 13);
Right to Portability (Article 14);
Right to Rectification and Erasure (Article 15);
Right to Restrict Processing (Article 16);
Right to suspend processing (Article 17);
Rights relating to automated processing (Article 18).
- Supply Chain Management
The Law requires Controllers to identify third parties that access or process personal data and put in place specific contractual obligations. In practice, what this means is that your organisation will have to conduct a re-papering exercises by updating all relevant legal and commercial terms with service providers where they have access to, or process, personal data. At DP3R, we have EU GDPR experience and we have partnered with key law firms to support you in developing compliant contract templates and clauses. Our partners are lawyers experienced with the EU GDPR.
- Central Register of Processing Activities
Organisations will have to conduct a data mapping exercise and identify all the personal data processed. The information would need to be maintained in a register referred to as the RoPA. The RoPA must identify the purposes, the reason for collection, the retention, third party involvement. At DP3R, we can support you in providing you with the tools to conduct this exercise.
- Transparency
Transparency is a key principle of the UAE Federal Data Protection Law. Compliance with this principle in practice means that individuals must be informed and made aware of the processing of their personal data. In other regimes such as the EU, this provision relates to the use of a ‘Privacy Notice’ or ‘Privacy Policy.’ There have also been statements when information is collected through online forms or phone. The same applies to face-to-face collection as individuals need to be informed of the purpose and given the opportunity to object to the collection.
- Data Transfers
The law states that Personal Data shall not be transferred outside the UAE without appropriate safeguards or reliance on an exemption. Similar to other international frameworks, the Law allows transfers to jurisdictions that have an ‘appropriate level of protection', in other words, adequacy deemed by the Regulator. In the absence of an adequacy determination, the law also permits transfer where there is a contract between exporter and importer. This is similar to the EU GDPR standard contractual clauses. Further information will be announced in the Cabinet Resolution.
Where should I begin?
Like most global data protection and privacy laws, this law requires organisations to take a risk based approach. Depending on your processing activities and the risks it poses to individuals, you will need to apply appropriate measures to mitigate that risk. For example, the controls required for a small clothing retail unit will differ from a healthcare or tech company. Therefore, your starting point is a comprehensive gap assessment which looks at your processing activities, your size, the type and nature of the data your organisation collects.
At DP3R, we can support you in conducting this assessment.
Contact us to conduct a Data Protection - Regulatory Risk Review (3R Gap Assessment) of your current position. We will then provide you with a detailed Report highlighting your gaps and areas of risks with recommendations. Our DP3R Assessment covers all the key requirements and obligations to comply with Law No.45 of 2021.
At DP3R, we provide a holistic solution for all your UAE data protection compliance needs. We can help you achieve compliance. We are leaders in the field. We are the only management consultancy in Abu Dhabi that also meets the statutory requirement of experience and expertise under Article 10(1) of Law No.45 of 2021 to represent you as your outsourced Data Protection Officer.
Contact us to see how we advise, support and represent you.
For more information, see our Capabilities and Services.
You can also email us at info@dp3r.com or DPO@dp3r.com for DPO services.
You can also call us on: +971 2 815 7932