Personal Data Protection Measures in the UAE
Ordinary life becomes impossible without us daily filling out countless forms, applications, and inquiries on various web resources and in person, where we have to disclose one or the other kind of personal information to the businesses, governmental agencies, or public authorities. This sometimes leads to undesirable results as we need to gain control over where and how much information about us has been disclosed and, most importantly, how it will be used further and by whom.
In view of daily challenges to the safety of personal information and the well-being of individuals to whom the information belongs, the Government had to design and implement legal prescriptions setting out the basic framework for obtaining and processing personal data by everyone who gets access to it in the course of business activities. The principal legal acts in the field are the UAE Law No. 45/2021 On the Protection of Personal Data (Federal DP Law), applicable generally in the State except for the Financial Free Zones, the DIFC Data Protection Law No. 5/2020 (the DIFC PD Law) applicable in the DIFC Free Zone, and the ADGM Data Protection Regulations 2021 as amended (ADGM PD Regulations and together with Federal DP Law and DIFC DP Law called DP Laws), which applies in the ADGM Free Zone respectively.
Protected Information
Federal DP Law identifies personal data, which are protected information, and categorizes them into:
- Personal Data
- Sensitive Personal Data
- Biometric Data
The first category encompasses basically any information relating to an individual or anyone who can be identified directly or indirectly by way of such information. This includes a (i) name, (ii) voice, (iii) picture, (iv) identification number, (v) web identifier, (vi) geolocation, or (vii) one or more specific traits that express the physical, psychological, economic, cultural, or social identity of such a person.
Sensitive personal data is a subcategory of personal data that allows direct or indirect identification of an individual’s family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as his/her physical, psychological, mental, genetic, or sexual condition, including information related to health care services provided thereto that reveals his/her health status.
Biometric data is narrowed to the personal data which allow or confirm the unique identification of an individual, such as facial images or dactyloscopy or equivalent information.
The Federal DP Law, however, excludes from its operation any:
- data processed by government authorities.
- data held with security and judicial authorities.
- information used by individuals for personal purposes.
- health personal data that is subject to protection by healthcare legislation.
- banking and credit information that is subject to the bank confidentiality obligations.
An alike approach to the information categorized as personal data may be found in the DIFC DP Law and ADGM PD Regulations.
Measures Against Data Breach
All three DP Laws place similar obligations on the entities controlling and processing personal information. These are a set of technical and organizational procedures and operations purported to safeguard the privacy, confidentiality and integrity of the personal data collected from individuals and guarantee the rights of such individuals, who are defined in the Laws as Data Subjects, in relation to the data.
Operating Procedures
All entities who collect and/or process personal data are mandated by the DP Laws to put in place:
- technical and organizational measures securing the confidentiality of personal data and preserving them from any infringement, damage, alteration or tampering with. Such measures should be proportional and appropriate as to the nature, scope and purposes of processing and the potential risks to the personal data and the privacy of the Data Subject.
- where required to Anonymization and Pseudonymization procedures.
- adequate default provisions ensuring that the processing of Personal Data is limited to its intended purpose.
- procedures for recording and storing protected information with the description of the (i) categories of data, (ii) persons authorized to access them, (iii) purpose of its processing, (iv) any data that have been transferred to or processed with involvement of a foreign entity or a third party, (v) the identity of such other and foreign parties, (vi) the processing duration, restrictions, scope, and (vii) the mechanisms of erasure and modification of any such information.
- methods of exercising Data Subject’s rights, where DIFC DP law requires entities to implement at least two methods by which a Data Subject can contact the entity to request to exercise his rights.
The mandatory measures will be more rigorous where a higher level of risk of data breach is involved.
Consent
Unless the data is processed in one of the cases provided for in Article 4 of the Federal DP Law, any person collecting or processing personal data shall priorly obtain the consent of the Data Subject to process his/her data and the right to withdraw such consent. Consent must be free, informed, and given in a clear, unambiguous manner.
Supervisory Authority
The authorities responsible for supervision and enforcement of the DP Laws are:
- UAE Data Office in the UAE’s main jurisdiction,
- Commissioner of Data Protection in the DIFC Free Zone, and
- Office of Data Protection in the ADGM jurisdiction.
Those entities collecting and processing personal information in the above territories should at all times be prepared to demonstrate their compliance with the concerned DP Law to the supervising authorities.
For further guidance and information on the application of the discussed law in the UAE, it’s advisable to consult with experienced lawyers in Dubai who are well-versed in UAE data protection regulations. At our Dubai law firm, we can provide you with the expertise needed to navigate these laws and ensure compliance, helping you avoid potential UAE fines associated with mishandling personal data. Please get in touch with Al Dhaheri International Advocates & Legal Consultants using the contact details listed on our website. Our team is committed to promptly and effectively addressing any inquiries you may have regarding personal data protection in the UAE.