UAE Personal Data Protection Law – FAQs

UAE Personal Data Protection Law – FAQs.

The United Arab Emirates (UAE) has published its long-awaited federal level data protection law – Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (the PDPL). Here we answer some of the most pressing questions.

1). How long do businesses have to comply with the PDPL?

Compliance steps should be taken immediately but our current view is that enforcement won’t commence before September 2022.

The PDPL will be enforceable six months after the associated executive regulations (the Executive Regulations) are issued. The Executive Regulations are to be issued within six months from the 20 September 2021 date of issuance of the law (ie by 20 March 2022), meaning enforcement will likely commence from 20 September 2022. Note, however, that the Data Office (as defined under question ‎6 below) reserves the right to extend the enforcement date and there could be a delay in the Executive Regulations.

2). Has the law been published in full?

No – as mentioned above, the Executive Regulations for implementing the provisions of the PDPL are to be issued within six months from the date of issuance of the law. Once issued, the Executive Regulations should give us a more detailed understanding of the specific requirements under the PDPL.

3). Who does the PDPL apply to?

The PDPL has extra-territorial effect and applies to:

• every data controller or data processor in the UAE who processes person data of data subjects inside or outside the UAE; and
• every data controller or data processor established outside the UAE carrying out processing activities in relation to data subjects located within the UAE.

4). Who is specifically exempted from complying with the PDPL?

The PDPL does not apply to:

• government data and public entities;
• personal data processed by security and judicial authorities;
• health related personal data governed by other existing legislation;
• bank and credit related personal data governed by other existing legislation; and
• companies that are established in free zones which have introduced their own respective data protection regulations (such as the DIFC and ADGM).

In addition to this, the Data Office (as defined under question ‎6 below) retains the discretion to exempt certain entities from having to comply with all or part of the law where such entities do not process personal data on a “large scale”. More information on the scope of this exemption is expected in the Executive Regulations.

5). How will the PDPL interact with data protection laws in UAE free zones?

As noted under question ‎4 above, the PDPL will not apply to companies that are established in the free zones which have introduced their own respective personal data protection regulations (ie the DIFC and ADGM). However, there is at this point still some uncertainty as to how the PDPL may play out with existing and future free zone legislation.

6). Who is the relevant data protection authority?

The PDPL refers to the establishment of the UAE Data Office (the Data Office) pursuant to Federal Law No. 44 of 2021 who will have responsibility for overseeing and enforcing the PDPL.

7). What are the penalties for non-compliance with the PDPL?

The Data Office will have the power to impose administrative sanctions for violations of the PDPL. However, at present, details of those acts which constitute a violation of the PDPL and the related administration sanctions that can be applied have not been published. We expect this information to be in the Executive Regulations.

8). Are there any criminal sanctions under the PDPL?

Please see our response to question ‎7 above – details of the sanctions are expected to be published in the Executive Regulations.

9). Is there a requirement to issue a “privacy notice”?

Prior to the commencement of the processing, the controller must provide data subjects with the following information:

• the purposes of the processing;
• the sectors or entities inside or outside the UAE with whom personal data will be shared; and
• the appropriate safeguards applied in the event that personal data is transferred abroad.

10). Is “consent” the only basis on which personal data can lawfully be processed?

No. Although consent is the primary lawful basis for processing under the PDPL, like other data protection laws, the PDPL lists various lawful bases which can be relied upon when processing personal data.

It is interesting to note, however, that the “legitimate interests” ground – a basis commonly relied upon under established data protection regimes around the word such as the EU’s GDPR – does not feature in the PDPL.

11). Is there any guidance on “consent” as a legal basis for processing personal data under the PDPL?

Yes. The PDPL provides that consent must be a “specific, clear and unambiguous indication of the data subject’s wishes” given by “a statement or by a clear affirmative action”. For consent to be valid, the following conditions must also be met:

(a) the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data (ie there is an evidentiary burden);

(b) the request for consent must be prepared in a clear, simple, intelligible and easily accessible manner; and

(c) the data subject must be informed of their right to withdraw such consent at any time.

In practice, principles such as this will need to work alongside other laws that may impact the business depending on its sector.

12). Does the PDPL impose obligations on processors?

Yes. The PDPL sets out a number of general obligations on processors (ie those processing personal data on behalf of, and in accordance with the instructions of, a controller). More detail is expected in the Executive Regulations.

13). Does the PDPL impose obligations on sub-processors?

Currently, the PDPL does not include any requirements in respect of sub-processors (ie where a processor engages another third party to carry out processing activities on behalf of the controller). However, requirements may be set out in the Executive Regulations.

14). What new data subject rights are created and how are they to be exercised?

The PDPL gives data subjects a number of rights and these are broadly similar to those afforded under other established data protection regimes like the EU’s GDPR. In summary, and subject to certain exemptions, data subjects have the right to access, obtain, rectify, correct, erase, and restrict or suspend the processing of their personal data.

Controllers are required to provide “appropriate and clear” methods and mechanisms to enable data subjects to communicate with the controller and exercise the above rights.

15). Are there any statutory roles that need to be created and filled (eg DPOs) under the PDPL?

Yes. In some cases, both controllers and processors are required to appoint a Data Protection Officer (“DPO”). Note that this requirement to appoint a DPO only applies where:

• the processing involves new technologies or a significant amount of data and is likely to result in a high risk to the confidentiality and privacy of the data subjects concerned;
• the processing involves the systematic and extensive evaluation of sensitive personal data using profiling or automated processing; or
• the processing involves a large volume of sensitive personal data.

More information on the thresholds mentioned above will be set out in the Executive Regulations.

Note that where a DPO is required, the role may be filled by an employee or third party based inside or outside of the UAE so long as that individual has the relevant professional qualities and expert knowledge.

16). Are there any statutory filings or registrations that need to be submitted?

No. There are no up-front filings or registrations mentioned in the PDPL. However, controllers and processors are required to keep a detailed register of their personal data processing activities and make such register available to the Data Office upon request.

17). Is there a requirement to carry out Data Protection Impact Assessments?

Yes. Although there is some uncertainty in the drafting of the PDPL, our current understanding is that controllers are required to carry out a Data Protection Impact Assessment (DPIA) before carrying out the relevant processing activity where the processing:

• uses new technology that is likely to result in a high risk to the privacy and confidentiality of the concerned data subjects;
• involves the systematic and extensive evaluation of personal data based on automated processing (including profiling) and that processing has legal or similarly significant effects for the data subject; or
• involves a large volume of sensitive personal data.

18). What does the PDPL say about cross-border data transfers?

Personal data may be transferred outside of the UAE (or into free zones) where the country or territory to which the data is being transferred has existing legislation in place that provides an “adequate level of protection”.

Where is not the case, the PDPL also provides some additional ways through which personal data can lawfully be transferred cross-border. To give a few examples of these, personal data may be transferred abroad where:

• a contract or agreement is put in place to ensure the provisions, measures and requirements set out in the PDPL are considered and upheld (ie a form of Standard Contractual Clauses);
• the data subject has explicitly consented to the transfer and that transfer does not conflict with the public and security interests of the UAE; or
• the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject.

Further information will be provided in the Executive Regulations.

Should you have any questions or would like to know more about how we can help you approach complying with the PDPL or other emerging data laws, please get in touch with experts in our Middle East Digital Business team.