UAE Enacts New Federal Personal ...
UAE Enacts New Federal Personal Data Pro...

UAE Enacts New Federal Personal Data Protection Law

First comprehensive federal data protection law in the UAE will enter into effect on January 2, 2022

clock4 Min Read

Featured Image

A new comprehensive personal data protection law was enacted in the UAE on November 29, 2021. The Law is the UAE’s first-ever federal privacy law and is part of a broad federal reform package in the UAE which has seen over 40 other laws amended or enacted. The Law will enter into effect on January 2, 2022, and will be enforceable 12 months later in January 2023.​ It is also understood that executive regulations are to be published within six months from the date of publication of the Law, and organizations that fall under the Law’s scope will be expected to comply within one year from the publication date.

The Federal Personal Data Protection Law will introduce new data subject rights, as well as requirements around breach notification, risk assessments, data processing records, and consent, among other things.

Will the UAE Federal Personal Data Protection Law Apply to Me?

The Law will apply to processing of personal data by automated, partly automated, or any other means. It will also apply to every data controller or data processor in the UAE that processes the personal data of data subjects regardless of the subject’s geographic location. Furthermore, the Law will apply to data controllers or data processors that are established outside of the UAE that process the personal data of data subjects in the UAE.

There are several exemptions from the scope of the new law which will not apply to public entities, health data governed by existing legislation, credit data governed by existing legislation, and financial free zones with their own data protection legislation (e.g. DIFC, ADGM). Organizations operating in financial free zones will continue to be bound by the existing data protection legislation in these areas.

Key Areas of the Law to Consider

Consent Requirements

The Law highlights that the processing of personal data cannot take place without the consent of the data subject. However, there are several exceptions including:

  • when processing is necessary to protect the public interest;
  • when processing is related to personal data that has become available and known to all by an act of the data owner; or
  • when the processing is necessary to carry out any legal procedures and rights.

Data Subject Rights

The Law defines a new set of rights for data subjects in the UAE giving data subjects greater control of their use of their personal data. The law includes the following data subject rights:

  • The right to access
  • The right to correction
  • The right to restrict processing
  • The right to stop processing

Other Key Features of the Law

The Law also sets out obligations for data controllers such as impact assessments, breach notification requirements, data protection officer appointment, and cross-border transfers. Data controllers will also have to maintain records of data processing.

Data processors will also need to comply with several new requirements including in relation to relationships with data controllers.

Who Will Enforce the law?

The Law will establish the UAE Data Office that will be responsible for proposing policies, developing data protection legislation, and issuing guidance on the implementation of data protection law.

What’s Next?

The Federal Data Protection Law in the UAE will enter into effect on January 2, 2022, and the Law will become enforceable in January 2023. Executive regulations will be made public six months after the Law’s publication on July 2, 2022. The UAE Data Office will also need to be established before the January 2023 entry into force.

Further reading on the new federal data protection law in the UAE:

Follow OneTrust on LinkedInTwitter, or YouTube for the latest privacy developments from around the world.

You Might Also Be Interested In

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

JANUARY 9, 2023

Navigating the California Privacy Rights Act as a HIPAA-compliant business

JANUARY 6, 2023

US state privacy bills on the horizon in 2023

Onetrust All Rights Reserved