The UAE Federal Decree Law No. 45 of 2021 on Protection of Personal Data (the “Law”) is now effective. To help you better understand its requirements, we joined forces with Abdo Rafiq & Partners, Attorney & Legal Consultants and Badi Fattah, Head of Corporate Commercial practice who will speak about the new Law. Here Badi answers some of your most pressing questions on the new law.
The Law became effective on 2 January 2022 however, there is an implementation period. As of the current position, all businesses are required to comply with the Law within 6 months of issuance of the Executive Regulations.
Summary: Expect 6 to 12 months
The Law has been published; however, further details remain to be clarified in the Executive Regulations which are to be issued within 6 months of the Law being promulgated. It is expected the Executive Regulations may be issued as early as March 2022.
Summary: Yes, but more details are to follow
The Law applies to:
Summary: The Law has extra-territorial reach
There are number of categories exempted but as far as data collection for commercial purposes is concerned, businesses collecting personal data in or outside the UAE are required to comply with the new Law.
Summary: Government entities mostly
A single national data privacy regulator – the UAE Data Office – has been decreed which will be responsible for issuing policies, handling complaints and supervising implementation of the data protection regime among other things.
Summary: The UAE Data Office
The Law does not expressly state the penalties and categories, which will be determined through the Executive Regulations. All sanctions & penalties under the UAE criminal penal code shall continue to apply as per the previous regime.
Summary: To be issued
Although the Law does not expressly stipulate this, it is most likely the Executive Regulations will have an express provision or as alternative businesses will be legally advised to adopt the practice of issuing up to date privacy policies.
Summary: Yes, most likely
There are various categories under the Law which permit legitimate processing of personal data, consent from a Data Subject is generally needed however the Law already provides for specific circumstances where consent may not be required.
Summary: No, there are other bases
Cross-Border Personal Data transfers will be subject to restrictions in line with whether the destination country/territory has an adequate level of protection.
Summary: Will be permitted but with protocols/safeguards
Yes, the Law does impose obligations including maintaining records on data processing, impact assessments and reporting data breaches in accordance with the law and the Executive Regulations.
Summary: Yes, there will be in due course
If you want to know more about your responsibilities under the UAE’s new data protection law, watch the recorded session of our ‘Data Protection Town Hall’. Expert lawyer, Badi Fattah is joined by Microsoft security expert, Berfin Gokoglu to drill down into the law from an IT perspective and answer your questions. You can watch the Town Hall here.