Skip to content

UAE Personal Data Protection Law

Introduction

The UAE Personal Data Protection Law (PDPL), Federal Decree-Law No. 45 of 2021, is the UAE’s first comprehensive federal data protection legislation. Enacted on 2nd January, 2022, the PDPL aims to safeguard personal data and regulate its processing and is aligned with global privacy standards.

The UAE Data Office is empowered under the law as to oversee compliance, process complaints, and regulate cross-border data transfers to ensure secure data handling.

UAE Personal Data Protection Law

GDPR and UAE PDPL: An Analysis

The UAE Personal Data Protection Law (PDPL) and the EU General Data Protection Regulation (GDPR) both aim to safeguard personal data. The GDPR applies to any organization processing the personal data of EU residents, regardless of the organization’s location, making it extraterritorial in nature. Similarly, the PDPL also has extraterritorial applicability. Therefore, organizations located outside the UAE that process the personal data of the residents of UAE need to comply with the law, regardless of where the processing takes place.

In terms of data subject rights, both the GDPR and the PDPL provide comprehensive rights including rights to access, rectification, erasure, restriction of processing, data portability, and the right to object.

Penalties under the GDPR can reach up to €20 million or 4% of global annual turnover. While, as per the UAE PDPL, the Council of Ministers, based upon a suggestion from the General Director of the UAE Data Bureau, shall decide upon the quantum of administrative penalties that can be imposed. The UAE Data Office is empowered to impose administrative penalties for breaches or violations.

Obligations Placed on Controllers and Processors

Articles 7 and 8 of the UAE PDPL establish the general obligations of data controllers and processors, respectively, in handling personal data.

Under Article 7, a controller is required to implement technical and organizational measures to ensure the confidentiality, integrity, and security of personal data. These measures must align with the nature and scope of processing activities and the associated risks. The controller must adopt methods like pseudonymization and set technical defaults that ensure data processing is limited to its intended purpose. They are also tasked with maintaining detailed records of processing activities, covering information such as categories of personal data, processing timelines, and cross-border data transfers. Appointing processors with adequate safeguards to meet legal standards is another essential obligation. Controllers must also cooperate with the UAE Data Bureau when required and provide any necessary documentation related to their data processing activities.

Article 8 outlines the responsibilities of processors, emphasizing adherence to the controller’s instructions and contractual agreements. Processors must implement suitable safeguards for protecting personal data, considering costs and the nature of processing. They are required to process data only for the agreed purposes and duration, and notify controllers if an extension is needed. Upon completion of processing, processors must erase the data or transfer it back to the controller. To prevent unauthorized disclosures, processors must secure both the data and the systems used for its processing. They are also obligated to maintain a comprehensive record of their processing activities and provide evidence of compliance with legal requirements to controllers or the Bureau upon request. If multiple processors are involved, a written agreement must define their responsibilities to avoid joint liability.

These articles collectively aim to establish a robust framework for ensuring the protection of personal data in line with international standards, assigning clear roles and responsibilities to controllers and processors.

Conclusion

The UAE PDPL marks a significant milestone in the nation’s journey toward establishing a secure and progressive data governance framework.

The PDPL not only safeguards individuals’ privacy rights but also provides organizations with a clear and structured framework to manage personal data responsibly. Through its comprehensive provisions on data processing, cross-border transfers, and compliance requirements, the law empowers businesses to innovate, while also prioritizing data protection.

Checkout Other Whitepapers

𝗢𝘂𝗿 𝗹𝗮𝘁𝗲𝘀𝘁 𝗪𝗵𝗶𝘁𝗲𝗽𝗮𝗽𝗲𝗿 𝗼𝗻 𝗗𝗿𝗮𝗳𝘁 𝗗𝗣𝗗𝗣 𝗥𝘂𝗹𝗲𝘀! 𝗧𝗵𝗶𝘀 𝗱𝗲𝘁𝗮𝗶𝗹𝗲𝗱 𝗮𝗻𝗮𝗹𝘆𝘀𝗶𝘀 𝗰𝗼𝘃𝗲𝗿𝘀:– A practical approach to implementing provisions– Key concepts shaping India’s data …

We’re thrilled to unveil our latest Whitepaper: “Kuwait’s Approach to Data Protection: A Comprehensive Review of Legal Developments and Provisions.” 🛡️📄 In …

Unlocking the Potential of Generative AI: Balancing Innovation with Privacy Generative AI is revolutionizing industries, but with great power comes great responsibility …

Unlocking the Potential of Generative AI: Balancing Innovation with Privacy Generative AI is revolutionizing industries, but with great power comes great responsibility …

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.