The UAE government in November 2021 approved the Federal Decree-Law No 45 2021 on Protection of Personal Data (PDPL).
Its purpose is in tandem with several other data protection laws that have been drafted and enacted in other jurisdictions around the world.
It is an all-inclusive law that deals with UAE data protection law pdf and the rights of UAE citizens (data subjects) over how they choose to share their data with data handlers and how data processors should handle the data.
Who’s To Comply With The Law
Like the GDPR, the PDPL has explicitly stated which businesses are supposed to comply with the legislation.
As per Article 2(1) of the PDPL, all businesses or companies registered in the UAE and are involved in processing personal data of data subjects inside or outside the UAE are mandated to comply with the PDPL.
Additionally, companies who collect data of UAE residents on behalf of another organization have to follow this law just the same.
Businesses that are part of the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) free zones but process data on behalf of companies that are not a part of the DIFC and ADGM are also covered by the law in limited cases.
Who Is Exempted
There are certain entities that the law has exempted from the provisions of the new law, such as government data, public entities’ data, health and credit data subject to their own dedicated legislation, and most importantly, entities established within the free zones such as the DIFC and ADGM that have their own data protection laws. This is evidenced in Article 2(2) of the legislation.
What Data Is Covered?
The PDPL provides unequivocally the data of the data subjects which is collected by a data processor and considered sensitive.
The following data is covered under the UAE’s new data protection law and should be protected:
• Name
• Voice
• Picture
• Identification number
• Race
• Ethnicity
• Religion
• Sexual preference
• Biometric data
• Criminal record
• Health Records
• Geographical location
What Rights Do Data Subjects Have?
Under the new PDPL, all users, or data subjects in UAE have certain rights that a data processor or controller is required to ensure under any circumstances.
These include:
The Right to Stop Processing
• The Data Subject can request the controller restrict or stop the processing in the following cases:
• If the accuracy of Personal Data, is being objected then the Processing shall be restricted to a specific period to allow verification of the same by the Controller.
• If the Processing violates the agreed purposes.
• If the Processing violates the provisions hereof, and the legislation in force.
The Right to Obtain Information
Based on a request submitted to the Controller, the data subject is entitled to obtain the following information for free;
• The types of his/her personal data that are processed
• Purposes of processing
• Decisions are made based on Automated Processing, including Profiling.
• Targeted sectors or establishments with which his/her Personal Data is to be shared, whether inside or outside the State
The Right to Object to Automated Processing
Any decision involving Automated Processing, including profiling, that has legal consequences or seriously affects the Data Subject, the data subject has the right to object.
• However, it is not applicable:
• If the automated processing is included in the terms of a contract
• It is necessary by-laws
• If the data subject has already given his/her consent to that automated processing.
The Right to Request Personal Data Transfer
The data subject has the right to obtain his or her personal data provided to the controller in a structured and machine-readable manner if such processing is based on consent or is necessary for the fulfillment of a contractual obligation and is made by automated means.
The Right to Restrict Processing
• A data subject may object to and halt the processing of his or her data in the following circumstances;
• If the data processor violates the provision of Article (5) of the legislation
• If the data processing is for direct marketing purposes, including profiling related to direct marketing
• If the processing is to conduct statistical surveys unless the processing is necessary to achieve the public interest
The Right to Correction
If the data subject’s inaccurate personal data is held with the data processor, he or she has the right to request the controller to correct or complete the information without undue delay.
The Right to Erasure
• The legislation gives data subjects the right to request the erasure of his or her personal data with the data processor if;
• It is no longer required for the purposes for which it is collected or needed for
• If the data subject objects to the processing or if there are no legitimate reasons to continue processing
• If the consent is withdrawn by the data subject
Communication with Controller
Data subjects must provided with a suitable and clear ways and mechanisms to establish communication with the data processor regarding their right and related requests or concerns they may have.
Right to Rectification
All data subjects have the right to request a data handler to change, amend, or modify data collected on data subjects in case it is outdated, incomplete, or incorrect.
Enforcement & Grievance Redress
The legislation outlines the rights of the data subjects with respect to the enforcement of the provisions and subsequent imposition of penalties in case of non-compliance by the data processor.
Article 24 of the legislation provides a data subject with the right to file a complaint with the UAE Data Office. This can be on the grounds of violating the provisions of the legislation by the data processor while undertaking the processing of the data subject’s personal data.
Article 25 also grants the data subjects the right to submit a written grievance against any decision, administrative penalty or procedure taken against him/her by the Office. A grievance must be sent to the Office General Manager in a written format within thirty days from the date of receiving the notification of such an administrative penalty.
Presently, the PDPL does not define any penalties for breaches. However, upon receiving a complaint from a data subject to the UAE Data Office, the Council of Ministers can impose administrative fines.
Conclusion
Individuals around the world are becoming increasingly conscious, aware, and vocal about their rights to data privacy and data protection. Naturally, legislation are being drafted globally that would mandate businesses to undertake proactive measures to ensure all data collected on data subjects is not only handled properly but also gained with appropriate consent.
If you feel any of your rights as a data subject have been violated any way, do not hesitate to reach out to us for a free consultation on how we can assist you in enforcing your rights.
We offer several legal services ranging from company formation and management, family dispute and resolution, immigration, debt recovery, Alternative dispute resolution, real estate, and a host of others in the United Kingdom, India, Africa, and Asia.
We at eLegal Consultants are ready to journey with you to help you actualize your dreams. Contact us today.
