The Government has released a series of substantial legal reforms to commemorate its 50th anniversary of independence, including the much-anticipated Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (PDPL), which was issued on September 26, 2021.

The PDPL came into force on January 2, 2022, and guides data management and protection, defining the rights and duties of all parties concerned. PDPL aims to collaborate the UAE federal law with international data protection practices, including key global transparency and accountability concepts. PDPL introduces data breach requirements, data protection impact assessments, data transfer requirements and notification, and record-keeping requirements. In our article, we would outline the main principles and areas of coverage for PDPL.

Main outlines and principles of PDPL in the UAE

PDPL refers to controls over the processing of personal data. Controls include processing in a fair, transparent, and lawful manner; collecting personal data only for a specific and clear purpose; keeping personal data accurate, correcting, or deleting inaccurate personal data; keeping personal data secure; only keeping personal data for as long as it is required based on the specific purpose and then evicting it.

PDPL covers both parties: Controllers and Processors. A Controller is a person or organization who decides on the method and criteria for processing personal data, as well as the processing's purpose. Personal data is processed under the direction of the Controller's instructions by the Processor. Processor refers to a business or natural person who processes Personal Data on behalf of the Controller, as authorized and instructed by the latter.

As defined by the PDPL, personal data is any information that is related to a natural person (an individual), who can be defined by such personal attributes as a name, voice, picture, identification number, electronic identifier, geographical location, or physical, physiological, cultural, and social characteristics.

However, there are always entities that do not fall under the PDPL power. The exclusions, which PDPL does not cover, includes the following:

• Government authorities’ data
• Companies in Free Zones, which have their data protection law. Examples are Abu Dhabi Global Market (ADGM) and Dubai International Finance Center (DIFC)
• Personal health, banking, and credit information with separate legislation covering such personal data 

The geographic scope of PDPL 

The PDPL applies to individuals, residing in the UAE, or people having a business within the UAE; each Controller or Processor inside the UAE, not depending on whether the personal data they process is collected from individuals inside or outside the UAE; each Controller or Processor located outside the UAE, who carries out processing activities of Data Subjects that are inside the UAE.

Exceptions, which require processing personal data

Except in specific limited instances, personal data can only be handled with the consent of the data subject. However there are certain exceptional circumstances, when processing the data is required by the law. Such cases include the following:

• signing a contract with a data subject, or to amend, or terminate any contract; 
• where the data subject has made the personal data public; 
• to protect the data subject's interests; 
• where processing is necessary for claiming legal rights or as part of judicial or security procedures; 
• where processing is necessary for certain medical purposes or matters of public health.

UAE Data Office Law

There is another law, which was issued simultaneously with the PDPL - a separate statute (Federal Decree-Law No. 44 of 2021), called The Data Office. It is aiming to ensure the most accomplished protection of personal data. The Data Office is in charge of a variety of tasks, including recommending and approving systems for data subject complaints and remuneration; providing information on how to fully apply data protection legislation; placing administrative penalties; drafting data-protection-related legislation and policies; proposing standards for the regulation of data protection legislation. 

Although PDPL shares many aspects in common with the European EU law on data protection, a General Data Protection Regulation (GDPR), there are several differences between both legislations. Key features of PDPL:

• alleviated transparency requirements, meaning that prior to processing, only a small amount of information will be required;
• focus on the consent, being the primary legal basis;
• more elaborate processing requirements record. 

If you would like to have advice or assistance with Data protection Law in the UAE, please contact us.

Marsel Shadmanov

Head of Corporate Services at Garant Business Consultancy DMCC

Phone +971 4 421 4335

Email info@garant.ae