The impact of the UAE Regulation on the Protection of Personal Data: Is your business prepared?

Foreign companies operating in the UAE face a complicated data protection landscape and rigid compliance requirements. The country has both onshore federal and offshore data protection laws, which are specific to the 'free zones' such as the Dubai International Financial Centre (DIFC), Abu Dhabi Global Market (ADGM), and Dubai Healthcare City (DHCC). These free zones operate under their own legal frameworks with specific data privacy and security regulations.

Additional regulations that are specific to certain sectors and emirates within the UAE also contain provisions regarding data protection. However, the country has not yet entered into any international agreements that specifically focus on data security.

On November 28, 2021, the UAE Cabinet enacted the Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL 2021), which had been first introduced on September 20, 2021, and became the first federal data regulation in the UAE. The PDPL 2021 came into effect on January 2, 2022, calling for further executive regulations to establish the data protection requirements that businesses must meet.

The PDPL 2021 applies to the personal data processing of UAE data subjects, irrespective of the data controller or processor’s location. However, the regulation does not cover certain data types, such as government data, personal data held by UAE security and judicial authorities, and health or financial personal data subject to separate legislation. The regulation also does not have provisions on data processing activities performed by government authorities. 

The PDPL 2021 largely aligns with international privacy practices, adopting principles of lawfulness, fairness, and transparency and providing standard lawful bases for personal data processing, such as consent, protecting a data subject or public interests, and adherence to the clauses of a contract concluded with a data subject. However, unlike the EU General Data Protection Regulation (GDPR), legitimate interests are not currently included as a lawful basis for data processing.

The UAE Regulation on the Protection of Personal Data also sets out extensive requirements for data controllers and processors, including breach notification obligations, the appointment of data protection officers, data protection impact assessments, and privacy notice requirements.

Let’s examine the key points in which the UAE’s comprehensive data protection legislation affects individuals and particularly businesses that process local data. 

PDPL 2021 applies to the following:

• Individuals who are data subjects, residing in or conducting business in the UAE;
• Companies that act as controllers or processors for the processing of personal data within or outside the UAE;
• Companies operating outside the UAE that process data within the UAE.

When processing personal data, businesses must adhere to the following requirements:

• Fairness, transparency, and lawfulness;
• Collection for a specific and clear purpose;
• Sufficiency and limitation to the purpose;
• Accuracy, correctness, and updating;
• Implementation of appropriate measures and procedures to ensure modification;
• Secure storage through technical and organizational measures.

Organizations that fail to comply with the PDPL 2021 or its executive regulations (e.g., inability to put in place proper data protection measures, etc.) may face penalties. However, the nature and type of penalties are defined by the Data Office and vary by case.

Businesses that are engaged in data processing must align their internal policies and procedures, as well as review the policies followed by their third-party providers, to ensure conformity with the evolving regulatory framework. An extensive audit of the systems in place will be essential to achieve this scope.

To find out how WhatsApp has revolutionized business communication in the UAE and globally and get insights into the perks and drawbacks of using the platform, read our blog post.