The United Arab Emirates (UAE) Data Protection Law came into force on 2 January 2022. The Executive Regulations to the Data Protection Law will be released shortly, after which businesses will have six (6) months to ensure that their data protection policies around personal data and consent are fully compliant with the Data Protection Law.

30 November 22

For a detailed summary of the key provisions of the Data Protection Law and their application, please refer to our earlier legal update: UAE Personal Data Protection Law

In summary, the Data Protection Law applies to:
(a) individuals who reside or have a place of business in the UAE;
(b) businesses in the UAE which process the personal data of individuals (including customers, suppliers and employees) whether those individuals are located within or outside the UAE; and
(c) businesses located outside the UAE that process personal data of individuals in the UAE.

It should be noted that Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) have their own data protection regimes and are therefore exempt from the application of the Data Protection Law.

The purpose of this note is to set out and highlight certain aspects which need to be considered by persons who need to comply with the Data Protection Law.

Areas that Require Compliance

Gap Assessment and Preparing a Data Inventory
It is important that organisations which collect, hold, handle or process any data undertake a gap assessment to ascertain whether there are any compliance gaps between their existing processes and the requirements of the Data Protection Law.

In doing so, companies will need to: (i) undertake a compatibility review of their current policies and procedures with the requirements of the Data Protection Law; (ii) assess privacy risks by mapping out existing data flows; (iii) assess whether the organisation meets valid consent requirements for data processing; and (iv) draft adequate contractual arrangements to fully comply with the Data Protection Law.

In addition to the gap assessment, companies will also be required to maintain a data inventory containing records of the personal data being collected and processed by an organisation.

Updating Data Protection Policies and Privacy Notices
The Data Protection Law provides certain criteria for data protection policies and privacy notices that are used for data processing activities in the UAE. An organisation is required to be transparent on how data is being processed, shared and transferred and this information needs to be available to all data subjects (that is persons whose data is being collected, stored and processed). Organisations will need to ensure compliance with these requirements by the time the Data Protection Law is in force.

Review Consent Language in Contractual Arrangements
Organisations are required to ensure that consent is obtained from all individuals whose data is being collected, stored or processed (either from websites, contracts, terms and conditions, employment arrangements or general trading activities). Accordingly, companies will be required to assess on a continuing basis whether their methods of collecting consent are in line with the Data Protection Law. Any non-compliance of these requirements can result in the imposition of fines of up to AED 500,000 (approx. USD 136,000) plus other penalties set out in the Data Protection Law.

The Global Data Protection Regulations (GDPR) has a concept of legitimate interests, which allows companies to process data for their interests or the interests of third parties (such as for commercial interests or broader social benefits). The concept of legitimate interests does not exist under the Data Protection Law and therefore it is paramount for organisations to ensure that consent is obtained from data subjects in a clear, simple and unambiguous manner.

Put in Place Systems for Handling Requests from Individuals
The Data Protection Law allows individuals/data subjects to seek information from organisations collecting, holding or processing their data on how such data is being used and the obligation organisations are supposed to comply with in relation to these requests. As part of the Data Protection Law compliance, organisations will need to ensure that they have appropriate policies and procedures in place to handle and process any requests from individuals/data subjects.

Preparing Data Breach and Cyber Incident Response Plans
In the event of a data breach, organisations or businesses are required to immediately notify the UAE Data Office and individuals who are affected by a data breach.

Advising on and Undertaking Data Privacy Impact Assessments
The Data Protection Law requires businesses to assess the impact of personal data processing for the purposes of promoting data transparency and avoiding data breaches, leaks and theft of intellectual property.

Employees and data protection officers should participate in training which covers the high-level and practical requirements of the Data Protection Law.

Based on the requirements of the Data Protection Law and the timelines for compliance, persons and organisations are strongly recommended to introduce a comprehensive data protection compliance program.

Should you require more information or have any other queries relating to this legal alert, please do not hesitate to contact, Adil Shafi.



Mehak Kampani, Associate