Unravelling the Data Protection Law - Cobweb MENA

Unravelling the Data Protection Law

Home » Content Hub » Unravelling the Data Protection Law

Need To Get To Grips With The UAE’s New Personal Data Protection Law? Here’s An Essential Guide.

The UAE Federal Decree Law No. 45 of 2021 on Protection of Personal Data (the “Law”) is now effective. To help you better understand its requirements, we joined forces with Abdo Rafiq & Partners, Attorney & Legal Consultants and Badi Fattah, Head of Corporate Commercial practice who will speak about the new Law. Here Badi answers some of your most pressing questions on the new law.

  • How long do businesses have to comply with UAE Federal Decree Law No. 45 of 2021 on Protection of Personal Data (the “Law”)?

The Law became effective on 2 January 2022 however, there is an implementation period. As of the current position, all businesses are required to comply with the Law within 6 months of issuance of the Executive Regulations.

Summary: Expect 6 to 12 months

  • Has the law been published in full?

The Law has been published; however, further details remain to be clarified in the Executive Regulations which are to be issued within 6 months of the Law being promulgated. It is expected the Executive Regulations may be issued as early as March 2022.

Summary: Yes, but more details are to follow

  • Who does the law apply to?

The Law applies to:

  • any processing of personal data in the UAE;
  • each controller or processor inside the UAE that processes data of non-UAE data subjects.
  • each controller or processor outside the UAE that processes data of UAE data subjects.

Summary: The Law has extra-territorial reach

  • Who is specifically exempt from complying with the law?

There are number of categories exempted but as far as data collection for commercial purposes is concerned, businesses collecting personal data in or outside the UAE are required to comply with the new Law.

Summary: Government entities mostly

  • Who is the relevant data protection authority?

A single national data privacy regulator – the UAE Data Office – has been decreed which will be responsible for issuing policies, handling complaints and supervising implementation of the data protection regime among other things.

Summary: The UAE Data Office

  • What are the penalties for non-compliance?

The Law does not expressly state the penalties and categories, which will be determined through the Executive Regulations. All sanctions & penalties under the UAE criminal penal code shall continue to apply as per the previous regime.

Summary: To be issued

  • Is there a requirement to issue a “privacy notice”?

Although the Law does not expressly stipulate this, it is most likely the Executive Regulations will have an express provision or as alternative businesses will be legally advised to adopt the practice of issuing up to date privacy policies.

Summary: Yes, most likely

  • Is “consent” the only basis on which personal data can lawfully be processed?

There are various categories under the Law which permit legitimate processing of personal data, consent from a Data Subject is generally needed however the Law already provides for specific circumstances where consent may not be required.

Summary: No, there are other bases

  • What does the Data Protection Law say about cross-border data transfers?

Cross-Border Personal Data transfers will be subject to restrictions in line with whether the destination country/territory has an adequate level of protection.

Summary: Will be permitted but with protocols/safeguards

  • Do any statutory filings or registrations need to be submitted?

Yes, the Law does impose obligations including maintaining records on data processing, impact assessments and reporting data breaches in accordance with the law and the Executive Regulations.

Summary: Yes, there will be in due course

If you want to know more about your responsibilities under the UAE’s new data protection law, watch the recorded session of our ‘Data Protection Town Hall’. Expert lawyer, Badi Fattah is joined by Microsoft security expert, Berfin Gokoglu to drill down into the law from an IT perspective and answer your questions. You can watch the Town Hall here.