In Brief:
The UAE has implemented a comprehensive framework to enhance consumer rights. Key legislation introduced in recent years includes:
- Data Protection Legislation: Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the “PDPL”).
- Consumer Protection Legislation: Federal Law No. (15) of 2020 on Consumer Protection and Cabinet Resolution No. 66 of 2023 concerning the Executive Regulations of Federal Law No. (15) of 2020.
- Digital Commerce Legislation: Federal Decree-Law No. 14/2023 on Trading by Modern Technological Means.
In this article, we focus on the PDPL and specifically on the obligations that impact businesses (both in the UAE and abroad), and the steps businesses should take to become compliant.
Please see the conclusion of this article for links to our articles discussing the other pieces of consumer protection legislation mentioned above.
UAE Personal Data Protection Law
In our digital world, where, as the fuel for our digital economy, personal data is increasingly valuable, the UAE introduced the PDPL, the nation’s first federal law on the protection of an individual’s information. The PDPL establishes clear guidelines on how personal data must be handled and protected. Enacted in 2021, the PDPL represents a significant step towards ensuring the privacy and security of personal data, aligning with global standards such as the European Union's General Data Protection Regulation (“GDPR”). For businesses (both in the UAE and those conducting business in the UAE from abroad), understanding the PDPL is not only essential for legal compliance but is crucial for protecting their reputation and for maintaining customer trust.
While the PDPL is the subject of this article, the UAE is home to other data protection regimes, the two most prominent being those set out in the Dubai International Financial Centre’s Data Protection Law, and the Abu Dhabi Global Market’s Data Protection Regulations.
Key Features of the PDPL
The PDPL, which applies across the UAE (with few exceptions, including the aforementioned financial free zones), affects any natural or legal person that processes personal data within the UAE, or that handles the personal data of UAE residents, regardless of where such natural or legal person is based. For the purposes of this article (being focused on businesses), this means that those established inside the UAE must comply with the PDPL, as must businesses outside the UAE where they deal with personal data relating to UAE residents. Similar to the GDPR, therefore, the PDPL has an extraterritorial effect.
1. Definition of Personal Data and Processing
The PDPL defines ‘personal data’ as any information that can identify an individual, either directly or indirectly. This can include names, contact details, location data, online identifiers, and biometric data. ‘Processing’ is defined broadly to include any collection, storage, use, sharing, or disposal of personal data. Accordingly, if a business holds personal data of any person, for any reason and in any way, it will be deemed to be ‘processing’ such data under the PDPL.
2. Lawful Basis for Data Processing
Under the PDPL, processing personal data without the consent of the owner is prohibited unless the business has a lawful basis for such processing. The PDPL permits processing on several grounds, including (but not limited to):
Consent: Businesses must obtain clear and specific consent (through a clear and positive statement or action) from individuals (the data owners) to process their personal data.
Contractual Necessity: Personal data may be processed if it is essential for fulfilling a contract with the relevant individual (or ‘data subject’).
Legal Obligation: Personal data may be processed if required by law, such as pursuant to tax or regulatory obligations.
3. Data Subject Rights
The PDPL grants individuals various rights over the collection and use of their personal data, including (but not limited to):
The Right to Receive Information: Individuals can request access to the personal data held by a business;
The Right to Correction: Individuals can require businesses to make corrections to inaccurate or incomplete data;
The Right to Erasure: In some cases, individuals can request that their personal data be deleted (the ‘right to be forgotten’);
The Right to Stop Processing: Individuals are at liberty to object to the processing of their personal data under certain circumstances; and
The Right to Transfer: Individuals can require that their personal data be transferred to another ‘data controller’ (in a usable format).
It is a critical element of data protection law compliance, therefore, for businesses to establish processes to respond to requests from data subjects for their exercise of these rights within the timeframes outlined by the PDPL.
4. Data Breach Notification
The PDPL mandates that businesses notify the UAE Data Bureau (the entity responsible for administering the PDPL) of any breach or violation that would prejudice the privacy, confidentiality and security of an individual’s personal data at the time that they become aware of such breach, and (at least) within the time period specified by the PDPL Executive Regulations. While the PDPL entered into legal force on 2 January 2022, the PDPL Executive Regulations have not yet been published (the timeline for publication is unknown), and, as a result, the maximum notification period is as yet undefined. Under the PDPL, therefore, at the present time, notification is required immediately upon a business becoming aware of a breach.
The PDPL similarly states that a business must notify the relevant individual if a breach affects the privacy and confidentiality of that individual’s personal data, again, within the time period to be established by the (as yet not published) PDPL Executive Regulations. Therefore, currently, where an individual is at risk of harm due to the breach, time will be of the essence under the PDPL, and businesses seeking to mitigate potential claims from individuals who have been harmed by a data breach should act without delay.
5. Cross-border Data Transfers
Of key relevance to businesses operating internationally will be the transfer of personal data across jurisdictional borders. Under the PDPL, the transfer of personal data outside the UAE is permitted, but only if the destination jurisdiction ‘ensures an adequate level of data protection’. If the receiving jurisdiction does not provide what is deemed to be ‘sufficient protection’, additional safeguards must be implemented by those wishing to transfer the data, such as the entering into of data processing agreements with the data transfer recipients, which require them to process the relevant personal data in compliance with the PDPL.
Cutting to the Chase - What Steps Should Businesses Take to Comply with the PDPL?
For businesses within the scope of the PDPL, the management of personal data is no longer simply a matter of internal policy and good practice. It is a legal obligation. Businesses must adopt robust data protection practices and procedures to ensure demonstrable compliance with the PDPL.
Here are some practical steps that businesses may take:
Conducting a Comprehensive Data Mapping Exercise: Conduct an audit of the personal data your business collects, stores, and processes. This will require input from all factions of your business, since each will collect and use/process different types of personal data, for different reasons; Human Resources will collect employee details, payroll information and health data, the Marketing Department will collect customer data, demographic information and consent/subscription records, and the IT Department will collect user account data, usage data and device information.
Once your business has established the nature of personal data being collected and processed, the next task for the business is to verify that all such data processing activities are justified by a lawful basis under the PDPL, and align with the rights of the relevant data subjects.
If your business relies on consent as the lawful basis for processing personal data, consider whether the consent you have obtained is clear, specific, and obtained in accordance with an active statement or action.
Identifying Which Data Protection Regime(s) Apply: It is common for data protection legislation to have an extraterritorial effect because data constantly crosses borders and does not remain confined to any particular jurisdiction. If data protection regulations did not have extraterritorial effect, it would be far too easy for those dealing with personal data to avoid complying with data protection laws by simply transferring data to another jurisdiction. The PDPL applies to non-UAE companies if they are processing the personal data of UAE residents. Similarly, the GDPR and several other international data protection regimes apply to companies processing the personal data of individuals in the relevant jurisdiction(s) of the legislation. As a result, most businesses with international suppliers, customers, or group-related companies need to comply with the data protection regimes of multiple jurisdictions. It is a key first step, therefore, for each business to determine which jurisdiction’s regime(s) it must comply with as a result of its operations.
Developing a Record of Processing Activities (“ROPA”): A ROPA is essentially a list, or log, of all the data processing activities that a business carries out. It may include the name and contact details of the data controller and processor(s), categories of data subjects, categories of personal data being processed, details of the recipients of personal data, details relating to the transfer of personal data outside of the UAE, retention periods for personal data, and the security measures implemented to protect the personal data. A ROPA helps a business comply with the transparency and accountability requirements of the PDPL.
Designing a Compliance Regime: Each business will need to implement a number of policies, procedures and documentation outlining and demonstrating how it complies with the PDPL, which may include:
- an Internal Data Protection Policy;
- an Employee Privacy Policy;
- an External Privacy Policy (such as an online privacy policy on its website, application or platform);
- a Data Breach Response Policy;
- a Data Breach Management Plan;
- a Data Subject Access Request Policy and Forms;
- a Privacy by Design and Default Policy;
- a Data Protection Impact Assessment Policy and Template;
- a Records Management Policy;
- an IT Security Policy (including ‘Bring Your Own Device’);
- a Data Protection Officer Procedure (if applicable).
These policies would not only help the business to process personal data uniformly and in a manner compliant with the PDPL, but would also help to exhibit the steps thebusiness has taken to ensure its compliance, on an ongoing basis, with the PDPL.
Conclusion
The PDPL represents the adoption by the UAE of the significant enhancement taking place globally with regard to the regulation of personal data. For businesses, the PDPL underscores the importance of data governance and accountability in the digital age. By taking proactive steps to ensure compliance, businesses are not only better prepared to avoid legal risks and penalties, but enhance their reputation as trustworthy custodians of personal data, perhaps ahead of some competitors.
In addition to the obligations imposed by the PDPL, digital and non-digital merchants should also to be aware of the UAE Consumer Protection Law and the UAE Digital Commerce Law.
For more information, please contact a member of the Hadef Commercial Team (Victoria Woods, Partner - v.woods@hadefpartners.com, Diana Froyland, Senior Counsel - d.froyland@hadefpartners.com, or Julie Beeton, Senior Counsel - j.beeton@hadefpartners.com).