UAE gears up for implementation of landmark personal data protection law
The DPL will grant data subjects a number of rights over their personal data, including the right to access their personal data held by a controller, to request the transfer of their personal data, to have their data amended or erased. personal data, to restrict the processing of their personal data in certain cases, and to oppose automated processing – and certain types of data processing such as marketing.
Data controllers will be required to communicate with data subjects and will need to appoint a Data Protection Officer (DPO) to comply with the law.
An organization will need to clearly explain to data subjects why their personal data is collected and processed, and may only use personal data for marketing purposes with the consent of the data subjects.
Organizations will also need to provide a “opt-out” method for data subjects to withdraw their consent, and will be required to limit the processing of their data, ensuring that they do not collect more data than necessary for the purpose they have indicated. .
The DPL defines how companies should perform personal data protection impact assessments when using modern technologies that present potential risks to the privacy and confidentiality of data subjects.
Like the EU GDPR, the UAE DPL will have extraterritorial scope, applying to all UAE organizations that process the personal data of individuals inside or outside the United Arab Emirates. country.
It will also apply to organizations established outside the UAE that process the data of individuals inside the UAE.
Government data, on the other hand, as well as government and judicial bodies that control and process personal data, will be exempt from the DPA.
The law will also not apply to personal health data governed by the ICT Health Act, personal banking data that is already regulated separately, and businesses in UAE free zones that have pre-existing laws on protection of personal data – like Abu Dhabi Global Market.
Doshi said: “Due to this new regime, all companies operating in the United Arab Emirates, or which are based outside the United Arab Emirates but process the personal data of data subjects located in the United Arab Emirates, will have to evaluate their activities and make changes to align with the new Data Protection Act as soon as possible ”.
In addition, a new “UAE data office”, which will regulate and update the DPL, will have the power to exempt other organizations that do not process large amounts of personal data.
The office will be responsible for preparing data protection policies, overseeing the application of federal legislation regulating personal data, and approving complaints and grievances systems.
It will also publish guidelines for authorities on how to implement data protection law.
From January 2, data controllers and processors will have six months to ensure their operations comply with the new law.
Sanctions for breaches are not included in current legislation but will be specified in future executive regulations.
It is not yet clear whether the regulations will give the UAE Data Bureau and courts the power to impose fines and other sanctions at their discretion.