The UAE enacted Federal Decree-Law No. 45 of 2021 regarding data protection (Law). The new Law will be the main data protection legislation in the UAE mainland and the free zones, with limited exceptions.

Who Does the Law Apply To

The Law is stated to apply to i) individuals who reside or have a place of business in the UAE, ii) locally established businesses that process data of data subjects located in or outside the UAE, and iii) any businesses outside the UAE that process personal data of individuals inside the UAE.

The Law does not apply to organisations established in free zones that have their own data protection legislation (for example the Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM)), or some specific categories of data, for example, health data or banking and credit data that are subject to specific data protection legislation.

Key Aspects of the Law

Many of the obligations placed on controllers and processors are in line with international practices in the protection of personal data, including:

  • The requirement to process data in a fair, transparent and lawful manner; to collect personal data for specific and clear purposes and to ensure that data is sufficient for and limited to the purpose for which it is being processed, and to keep the data accurate, correct and updated.
  • The requirement to obtain consent except in limited cases which include the performance of contracts, compliance with legal obligations and protecting the data subject's vital interests. Interestingly, the exceptions do not include processing for the controller's legitimate interests.
  • The requirement for consent to be given in a clear, simple, unambiguous and easily accessible manner, and the requirement for consent and an opt-out option in relation to the use of personal data for marketing purposes.
  • Data subjects’ rights with respect to their personal data, including, the right of access to their personal data and to information concerning the processing of their personal data, the right to correction or erasure of their personal data, but also the right to restrict the processing of their personal data in certain circumstances, and the right to stop and object to processing for direct marketing or automated processing.
  • The prohibition of the transfer of personal data (outside the UAE) to jurisdictions that do not offer an adequate level of protection without the data subject’s consent, subject to specific derogations, including transfers necessary for the performance of contracts or to fulfil an obligation, protection of the data subject's vital interests, or preparing, pursuing or defending a legal claim. The Law allows the transfer of personal data to jurisdictions that offer an adequate level of protection however the same is subject to the approval of the UAE Data Office – the UAE national data privacy regulator.

Organisations must carry out an impact assessment when using any modern technologies that would pose a high risk to the privacy and confidentiality of the Personal Data of data subjects.

The Law will enter into effect on January 2, 2022. The Executive Regulations, which deal with certain aspects of the law in further detail, are stated to be issued within six months of the date of promulgation of the Law. Organisations that are captured by the Law will have a period of 6 months from the date of issuance to comply with the requirements of the Law. Such organisations should start conducting an assessment of their processing activities in order to implement appropriate compliance measures as soon as possible.