• Talk to an Expert - UAE & India: +97144030609, +971524047212, +971585829649 | UK: +447951033955, +441212432676, +447951033788 | Europe: +48518056055, +48662002185 | Nigeria: +2342012809124, +2349154169455
Location
Nigeria Poland United Arab Emirates United Kingdom
eLegal Consultants
Difference between GDPR and UAE Data Protection Law
eLegal Admin October 18, 2024 UAE

The United Arab Emirates (UAE) on the 28th of November 2021 declared the Federal Decree-Law No. 45 of 2021, also known as the Personal Data Protection Law (PDPL). It replicates other countries around the world in coming up with concrete legislation that protects the data of all residents within the UAE.

inherently, the new personal data protection law has drawn several comparisons with the EU’s General Data Protection Law (GDPR) which is considered to be the most detailed piece of legislation done on the subject of data privacy and data protection. As expected, there are multiple semblances between the two laws, along with some notable differences.

Understanding these similarities and differences can help your company and data controllers/processors achieve data compliance for both laws and achieve a competitive advantage over the rest of your competitors in both jurisdictions. Furthermore, this can help in assessing how and in which areas your company needs to amend its data processing practices to remain compliant with both laws.

Scope Of the Law

Data privacy and protection have become a fundamental cornerstone of your company’s ability to maintain the trust of its users (data subjects). As data subjects become increasingly versed and educated about what their rights are and the responsibilities of data controllers/processors towards them, it is crucial that organisations understand where they stand.

The initial step to begin with is to understand whether a company needs to comply with the new UAE data protection laws and how it compares to compliance needs as per the GDPR.

The UAE PDPL

According to the new UAE PDPL, any company registered in the UAE that collects or processes the data of UAE residents is subject to this new legislation. Likewise, any company not registered in the UAE but processing the data of data subjects in the UAE is also subject to this legislation.

Some notable exemptions exist for government data, public entities’ data, health and credit data subject to their own dedicated legislation. It is to be noted that companies established in the free zones of Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) are subject to their own data protection laws and exempt from the PDPL.

The GDPR

The GDPR deals with the scope and who needs to comply with it in a simpler way. Whether in the EU or outside, any company that collects data on EU residents has to comply with the legislation’s provisions.

Additionally, there are provisions in the GDPR where if your product is being sold to customers in the EU or is accessible to them, you would need to comply with the GDPR. Interestingly, if a company’s product or service is available in the EU currency or only offers to ship to the EU, it would still need to be GDPR compliant.

Data Subject Rights: UAE data protection law vs gdpr

While the GDPR and the PDPL differ in some areas, they are on the same page when it comes to providing all users with several rights over their data. Here are all the rights that are guaranteed under both the GDPR and PDPL:

The UAE

Here’s how the UAE’s PDPL interprets Data Subjects’ rights:

  • Right to Access Information– The data subject has the right to request access to the following information:
    • The categories of personal data processed;
    • The reason of the processing;
    • Whether the personal data is shared inside or outside the jurisdiction;
    • Automated decision making on his/her personal data;
    • Controls or standards relating to storage of his/her personal data;
    • Actions for rectification, restriction, or erasure of his/her personal data;
    • Safeguards applied to his/her personal data in case of cross border data transfer;
    • Actions to be taken in case of Personal Data Breach;
    • Procedure to lodge a complaint with the UAE data Office.
  • Right to be Informed– The PDPL requires all data handlers to inform users what kind of data is being collected on them, where it is being stored, whether it is being shared or sold to anyone, and what protective measures are in place to protect this data.
  • Right to be Forgotten/Erasure– The data subject will have the right to rectify any inaccuracy of their personal information and the right to require the data controller to erase their personal information.
  • Right to Stop Data Processing– The data subject can exercise the right to request a data handler to cease processing their data in the following circumstances:
    • Where personal data is processed for marketing purposes;
    • Where the processing is for statistical survey purposes, unless the processing is essential for the reasons of public interest;
    • Where the processing does not oblige with the Personal Data Protection Principles as stated under Article 5 of the PDPL.
  • Right to Rectification– Similar to the right to erasure of data collected on them, the data subject can also request the data handler to make appropriate amendments and changes if the data collected in the information collected is outdated, inaccurate, or incomplete.
  • Right to Data Portability– The data subject has the right to receive their personal data in a structured and machine-readable format where the processing of personal data is subject to the data subject’s consent.

The GDPR

The GDPR remains the best standard when it comes to data protection regulations around the world. As anticipated, it has an expansive set of rights for data subjects. The most prominent of which include:

  • Right to Access Information– The GDPR gives all data subjects the right to request access to all information that a company or website may have collected on them. Additionally, a user can request to know how the data collected on them have been used, stored, processed, sold, or shared with other companies. A data handler is legally obligated to inform the data subject of the following whenever requested:
    • The purpose of the processing
    • The categories of personal data concerned
    • The recipients or categories of recipients to whom personal data has been disclosed
    • The retention period or if not possible, the criteria used to determine that period
    • The existence of data subjects’ rights
    • The source of personal data where the personal data is not collected from the data subject and any available information
    • The right to file a complaint to the supervisory authority
    • The existence of data transfers
    • The existence of automated decision-making.
  • Right to be Informed– The GDPR gives all data subjects the right to be adequately informed about any data collection needs of the website and give free consent to such data collection. This includes but is not only limited to:
    • The identity and contact details of the controller, controller’s representative, and DPO, where applicable
    • The purpose and the legal basis of the processing
    • The legitimate interests pursued by the controller or by a third party where the processing is based on legitimate interests
    • The categories of personal data concerned
    • The recipients of the personal data
    • Data transfers to a third-party or country
  • Right to be Forgotten– The GDPR gives all data subjects the right to request any company or website to delete and permanently remove any data that may have been collected or processed on the user. The data subject has the right to make this request under the following conditions:
    • When the personal data is no longer necessary for the purposes it was collected
    • Where consent is withdrawn by the data subject,
    • When the data subject objects to data processing based on legitimate interests
    • When the data subject objects to data being processed for direct marketing purposes
    • When the personal data is unlawfully processed
    • When personal data has to be erased for compliance with a legal obligation.
    • When a child wants to erase data in case of the provision of information society services to a child.
  • Right to Stop Data Processing– The GDPR gives all data subjects the right to request a company or website to cease processing data for any and all purposes effective immediately after such a request is made.
  • Right to Rectification– The GDPR gives all data subjects the right to request amendments to the data collected on them or to request a modification in case of outdated or incorrect data.
  • Right to Data Portability– The GDPR gives all data subjects the right to request a company or website to provide them a copy of all data collected on them in a machine-readable, easy-to-transfer manner.

Penalties for Non-Compliance

This is one of the biggest difference between the PDPL and the GDPR. While the GDPR takes a much more standardized approach where anyone in breach of the law would not know what penalties to expect, the UAE law approaches penalties on a case-by-case basis:

The UAE

The UAE’s data protection law does not have any standardized penalties in place for websites and companies found in non-compliance as of yet. There will be further executive regulation carried out to set penalties after the law is implemented in January 2022.

Until such regulation is done, the courts and the UAE Data Office will oversee each case of non-compliance separately and decide the appropriate punishment in each case.

The GDPR

The GDPR is incredibly strict when penalizing companies and websites found to be in non-compliance with any of the law’s provisions.

Under GDPR, non-compliance and data breaches can result in fines as high as 20 million euros or 4% of the violating company’s annual global turnover – whichever amount is higher.

Privacy Policy

The privacy policy is an important document and tool that can help any data controller communicate with their users exactly what they’re signing up for. Both the UAE’s PDPL and the GDPR have comprehensive and clear guidelines over what any data handler’s privacy policy must contain.

The UAE

A controller must, before processing a data subject’s personal data, provide the data subject with the purposes for the personal data processing, any third parties that the personal data will be shared with and the protection measures put in place to cover any cross-border data transfers.

The UAE’s PDPL legislation mandates all data controllers to be transparent about their data collection activities with the data subjects. This includes detailed information about what data is being collected, why it’s being collected, how the data collected is used, whether the collected data is shared or sold to another party, whom to contact if the data subjects wish to request access, alteration or deletion of their data, and how the collected data is protected

The GDPR

The GDPR requires all data controllers to have an extensive privacy policy. However, they must also ensure that the policy is easy to read and comprehensible and does not use any jargon that may create confusion about the consent agreement.

The privacy policy must contain information on identity and contact details of the controller, controller’s representative where applicable, controller’s data protection officer where applicable, the purposes of the processing, the lawful basis of the processing, the recipients or categories of recipients of personal data, and where applicable if the controller intends to transfer personal data outside the EU. The policy must also reiterate the rights of data subjects and how they can rescind their consent at any given time.

Conclusion

Complying with GDPR and data protection laws and executive regulations is crucial for UAE businesses that engage with the EU market. This can be daunting and complex to abide by due to the similar nature of both laws. You can reach out to us to for proper guidance on data protection compliance for your company. Ensuring compliance avoids penalties and builds trust with clients and partners, positioning the company as a reliable and responsible entity in the global market.

We at eLegal Consultants are ready to journey with you to actualize your dreams. Contact us today.

We maximise our efficiency and quality with hightech systems

About Company

As our name suggests, we offer you the best comprehensive legal solution online and offline.

Contact Details

UAE & India

  • 1901, 19th Floor, 48 Burj Gate Tower, Sheikh Zayed Road, Downtown,
    Dubai UAE.
  • Office 190 Creative Tower Fujairah, Fujairah Emirate UAE
  • +971524047212,
    +97144030609,
    +971585829649.
  • info@elegalconsultants.co.uk

Other Details

United Kingdom

  • 128 City Road, London EC1V 2 NX.
  • Office 622, 1, Victoria Square, Birmingham B1 1BD
  • +447951033955
  • +441212432676
  • +447951033788

Europe

  • Al. Niepodległości 156/13 02-554 Warszawa
  • +48518056055
  • +48662002185

Nigeria

  • The Waterside 5 Admiralty Road off Admiralty Way Lekki Phase 1, 101224, Lagos, Nigeria
  • +2342012809124
    +2349154169455

Toll Free Number

  • 800 ELEGAL

Practice Areas

We accept Reliable
Payment System

Recent News

Need Help?