Data Protection Law in the UAE
Data Protection Law
On September 20, 2021, the UAE government proclaimed the historic Data Protection Law. On January 2, 2022, the UAE’s authorities put it into effect to bring it into compliance with global standards for data protection and transparency.
What Is the New UAE Data Protection Law Aiming to Achieve?
This new regulation makes clear what is permissible for the gathering, handling, transferring, and reviewing of private information inside the borders of the United Arab Emirates. These sections of the new law reinforce the responsibility of parties to gather, process, and examine sensitive data as well as the privacy rights of data subjects.
The primary focuses of this blog will be the UAE’s Data Protection Law.
Rules of Compliance & Whom They Concern
The UAE’s Personal Data Protection Act (PDPL) makes it very clear which companies have to follow the regulations. Any UAE-registered company that processes the concerned parties’ personal data either domestically or internationally is required to abide by the PDPL, under Article 2(2) of the PDPL. This regulation must be followed even by businesses who gather personal information about UAE citizens on behalf of other organizations.
Who is not subject to PDPL?
A few entities are exempt from the PDPL statute under Article 2(2). Subject to certain laws, these entities include government and public entity data as well as credit and health data. Additional exempt entities are those that have been set up inside free zones, such as the ADGM and DIFC (Dubai International Financial Centre), which function in accordance with their own data protection laws.
Furthermore, organizations that process data for enterprises outside of the DIFC and ADGM free zones will also be subject to some degree of compliance with this rule.
Information Protected by This Law
The data that this law covers is explicitly stated in the PDPL. Its goal is to protect the private and sensitive information that is gathered from the relevant parties. This information comprises:
- Name
- Voice
- Picture
- Identification number
- Race
- Ethnicity
- Religion
- Sexual preferences
- Biometric data
- Criminal records
- Health records
- Geographical location
Every user and data subject has various rights under the recently passed PDPL law. In this case, they always need to have a data handler. Among these situations are:
Right to Information Access
Every person who provides data has a right to know what personal information a company collects about them.
The freedom to transfer data
Every person who provides data has the right to obtain pertinent information in a manner that is comprehensible, transferable, and available to them across a wide range of platforms and devices.
Ability to Limit Processing
The right to limit the processing of personal data by businesses is vested in data subjects. Once a data subject makes an exercise of this claim, the company is required to cease data collection.
The right to erase data
Data subjects have the right to ask companies to remove any personally identifiable information that worries them.
Opposition to Automated Processing
Every data subject has the right to stop a company from utilizing their data—that is, data gathered about them by the relevant business—to support automated decisions that could have an impact on them.
The right to clarification
If data (information gathered about the data subject by the relevant business) is outdated, inaccurate, or incomplete, the data subject has the right to request that the data handler update, amend, or modify it.
Penalties for Failure to Comply
The applicable sanctions for entities that do not comply with the new legislation have not been made apparent by the PDPL. Authorities have determined that in the event that an entity violates the new law, the Council of Ministers and courts will apply the relevant administrative sanctions. Although the PDPL law went into force on January 2, 2022, the government has not yet established uniform punishments. For further information on these punishments, everyone is waiting for executive legislation.
In what ways may IBR Group help you with the Data Protection Law?
Globally, a growing number of users are becoming vocal and conscious of their rights to data privacy and protection. Owing to these difficulties, governments all over the world are eager to enact laws that require companies to take action. This procedure will guarantee that data subjects’ information is protected and obtained with the appropriate authorization.
Data is money in 2024, but there could be legal repercussions if the global framework is not followed. Additionally, companies today handle enormous volumes of data, necessitating automated solutions in order to adhere to ever-changing legal requirements.
For all types of enterprises, from small and medium-sized to large and massive corporations, IBR Group provides a wide range of services. We offer guidance on corporate and private data processing, management, and protection for both clients and employees.
All of these offerings and operations have to comply with legal requirements such as:
• Personal Data Protection Law in the UAE
The DIFC Law on Data Protection
• Data Protection Law ADGM
• GDPR
• The Data Protection Regulation (DPR) and other NDMOs