UAE data protection laws | Discover Now with SAR Lawyers

UAE data protection laws | Discover Now with SAR Lawyers


On September 20, 2021, Federal Decree No. 45 of 2021 of the UAE data protection laws was promulgated.

The law came into force on January 2, 2022. The Implementing Regulations must be promulgated within six months from the date of promulgation of the law (by 20 March 2022).

UAE businesses must comply with the law within six months of the enactment of these regulations. As with many laws in the UAE, the Bylaws provide additional details about the provisions of the law and help UAE businesses understand their compliance requirements under the law.

The law aims to align UAE federal law with global best practice privacy principles. Those familiar with such principles are familiar with much of the law and its key concepts of transparency and accountability. The law introduces data subject rights, data breach requirements, data protection impact assessments, data transfer requirements, and notification and record-keeping requirements.

Concurrently with the law, his United Arab Emirates Decree No. 44 of 2021 was also issued on 20 September 2021 establishing the UAE data protection laws to meet the requirements of the law.

What do You need to Know about UAE Data Protection Laws?

What do You need to Know about UAE Data Protection Laws?

When does the law apply?

UAE data protection laws apply to both controllers and processors. The controller is the natural or legal person who determines how and on what basis personal data are processed and for the purposes of the processing. The Processor processes Personal Data on behalf of the Controller and in accordance with the Controller’s instructions.

Personal data are all data relating to or relating to a natural person who can be identified, directly or indirectly, by linking the data. This includes one or more of the name, voice, image, identification number, electronic identifier, geographic location, or physical, physiological, economic, cultural, or social characteristics of a natural person; This includes, but is not limited to, sensitive personal information.

Sensitive personal data includes, directly or indirectly, an individual’s family or ethnic origin, political or philosophical opinions or religious beliefs, criminal record, biometric data, and data related to an individual’s health. Contains data to reveal.

This law applies to all processing of personal data by controllers and processors in the UAE, regardless of whether the processing of personal data relates to data subjects in the UAE or abroad. It covers the personal data of data subjects residing or working in the UAE.

This also applies to controllers and processors located outside the UAE who process the personal data of UAE data subjects. This is an out-of-territorial element similar to GDPR.

UAE data protection laws include materiality thresholds related to the processing of personal data, allowing data bureaus to exclude UAE companies that do not process large amounts of personal data. This is stipulated in the Implementing Regulations.

When do UAE data protection laws not apply?

When do UAE data protection laws not apply?

UAE data protection laws do not apply to personal data processed by government data, government agencies that control or process personal data, or security and law enforcement authorities. However, state-owned enterprises appear to be subject to the law.

UAE data protection laws do not apply to personal health data or information, or personal banking or credit data or information, although different laws apply to such personal data and information. This law also does not apply to UAE free zones such as Dubai International Financial Center and Abu Dhabi Global Market, which have their own data protection laws. Finally, the law does not apply to the use of personal data by data subjects for personal purposes.

What are the main principles of UAE data protection laws?

UAE data protection laws speak of “control” over the processing of personal data. This includes Processing in a fair, transparent, and lawful manner. collect personal data only for specific and explicit purposes; only process personal data necessary for the specified purposes (or for purposes similar or closely related to the specified purposes); keep personal data accurate and correct or delete inaccurate personal data; Protection of personal data; we only retain personal information for as long as necessary for the specific purpose and then delete or anonymize it. All of these principles are consistent with those adopted by global data protection laws such as GDPR.

What is the legal basis for processing personal data under UAE data protection laws?

What is the legal basis for processing personal data under UAE data protection laws?

Personal data can only be processed with the consent of the data subject, except in certain limited circumstances. These necessary situations include Processing necessary for the performance of a contract with a data subject or for the conclusion, modification, or termination of such a contract. If the data subject makes the personal data public. To protect the interests of data subjects.

Where the processing is necessary for the establishment of legal claims or as part of judicial or security proceedings. Where the processing is necessary for specific medical purposes or public health issues (in accordance with relevant law); for archival purposes or scientific, historical, and statistical research (in accordance with relevant law); and/or to fulfill our obligations and to controllers or data subjects exercising their employment/social protection rights.

The legal basis for processing that is not included is where the processing is necessary for the legitimate interests of the controller (or a third party). This is common ground provided by global data protection laws.


How should consent to the processing of personal data be handled?

How should consent to the processing of UAE personal data laws be handled?

The controller must be able to establish the consent of the data subject where consent is used as the legal basis for the processing of the data subject’s personal data. Hmm. Consent should be clear, simple, clear, and easily accessible. Consent should take the form of a statement or clear affirmative action and can be given in writing or electronically.

The consent language should include the data subject’s right to withdraw consent, and such withdrawal should be easy. Affected persons may withdraw their consent at any time. Such revocation shall not affect the lawfulness and lawfulness of any processing based on consent given prior to revocation.


You can discover more about UAE data protection laws

Read also: The Best Lawyer in Dubai