November 29, 2021
UAE Enacts New Federal Personal Data Protection Law
4 Min Read
A new comprehensive personal data protection law was enacted in the UAE on November 29, 2021. The Law is the UAE’s first-ever federal privacy law and is part of a broad federal reform package in the UAE which has seen over 40 other laws amended or enacted. The Law will enter into effect on January 2, 2022, and will be enforceable 12 months later in January 2023. It is also understood that executive regulations are to be published within six months from the date of publication of the Law, and organizations that fall under the Law’s scope will be expected to comply within one year from the publication date.
The Federal Personal Data Protection Law will introduce new data subject rights, as well as requirements around breach notification, risk assessments, data processing records, and consent, among other things.
Will the UAE Federal Personal Data Protection Law Apply to Me?
The Law will apply to processing of personal data by automated, partly automated, or any other means. It will also apply to every data controller or data processor in the UAE that processes the personal data of data subjects regardless of the subject’s geographic location. Furthermore, the Law will apply to data controllers or data processors that are established outside of the UAE that process the personal data of data subjects in the UAE.
There are several exemptions from the scope of the new law which will not apply to public entities, health data governed by existing legislation, credit data governed by existing legislation, and financial free zones with their own data protection legislation (e.g. DIFC, ADGM). Organizations operating in financial free zones will continue to be bound by the existing data protection legislation in these areas.
Key Areas of the Law to Consider
The Law highlights that the processing of personal data cannot take place without the consent of the data subject. However, there are several exceptions including:
- when processing is necessary to protect the public interest;
- when processing is related to personal data that has become available and known to all by an act of the data owner; or
- when the processing is necessary to carry out any legal procedures and rights.
Data Subject Rights
The Law defines a new set of rights for data subjects in the UAE giving data subjects greater control of their use of their personal data. The law includes the following data subject rights:
- The right to access
- The right to correction
- The right to restrict processing
- The right to stop processing
Other Key Features of the Law
The Law also sets out obligations for data controllers such as impact assessments, breach notification requirements, data protection officer appointment, and cross-border transfers. Data controllers will also have to maintain records of data processing.
Data processors will also need to comply with several new requirements including in relation to relationships with data controllers.
Who Will Enforce the law?
The Law will establish the UAE Data Office that will be responsible for proposing policies, developing data protection legislation, and issuing guidance on the implementation of data protection law.
The Federal Data Protection Law in the UAE will enter into effect on January 2, 2022, and the Law will become enforceable in January 2023. Executive regulations will be made public six months after the Law’s publication on July 2, 2022. The UAE Data Office will also need to be established before the January 2023 entry into force.
Further reading on the new federal data protection law in the UAE:
- OneTrust DataGuidance News: UAE enacts new Federal Law on Protection of Personal Data as part of legislative reform package
- UAE Cabinet: UAE adopts largest legislative reform in its history
- OneTrust: Complete Solutions to Power Your Privacy, Security and Data Governance Programs