New data protection rules in force in the UAE

New data protection rules in force in the UAE

New personal data protection legislation has now come force in the UAE, the first comprehensive federal data privacy law in the country’s history.

Barkha Doshi, data protection expert at Pinsent Masons, said that the UAE now “joins Saudi Arabia by passing a standalone federal data protection regime and brings comprehensive data protection legislation to another country in the Middle East”.

The UAE Data Protection Law (DPL), which came into force on 2 January 2022, is intended to protect “any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data”.

It will also apply to sensitive personal data, like race or religious beliefs, and biometric data such as fingerprints.

“Remarkably, the new Federal Data Protection law largely mirrors the European Union’s General Data Protection Regulation (GDPR) legislation,” Doshi said.

The DPL will give data subjects a number of rights over their personal data, including the right to access their personal data held by a data controller, to request the transfer of their personal data, to have their personal data amended or erased, to restrict the processing of their personal data in certain cases, and to object to automatic processing – and certain types of data processing like marketing.

Data controllers will be required to communicate with data subjects and will need to appoint a Data Protection Officer (DPO) to comply with the law. An organisation will have to make clear to data subjects why their personal data is being collected and processed, and will only be able to use personal data for marketing purposes with the consent of data subjects.

Organisations will also have to provide an ‘opt-out’ method for data subjects to withdraw their consent, and will be required to limit their data processing, ensuring they do not collect more data than is needed for the purpose they have given.

Government data and the government and judicial bodies that control and process personal data, will be exempt from the DPL. The law will also not apply to personal health data regulated by the ICT healthcare law.

Doshi said: “Owing to this new regime, all businesses operating in the UAE, or that are based outside the UAE but process personal data of data subjects located in the UAE, will need to assess their activities and make changes to align with the new Data Protection Law as quickly as possible.”

Additionally, a new ‘UAE Data Office’, which will regulate and update the DPL, will have the power to exempt other organisations that do not process large amounts of personal data. It will also issue guidelines for authorities on how to implement the data protection law.

Data controllers and processors have six months to ensure their operations comply with the new law, from 2 January 2022.

Penalties for breaches are not included in the current legislation but will be specified in future executive regulations.