The Federal Decree-Law no. 45 on the Protection of Personal Data came into force on 2nd January 2022. The new law applies to the processing of personal data (1) of a data subject who resides in the UAE, (2) by any controller or processor residing in the state, whether processing the data inside or outside the country (3) and to any controller or processor residing outside the state and processing the data inside the state of the UAE.
The data protection law of the UAE follows the general trend of protecting the data of individuals and imparts them with several rights which ensure the safety and accuracy of the data collected. The data cannot be collected from a subject without his effective consent and in absence of a specified purpose.
The law in general prohibits the processing of personal data without the consent of the data subject (i.e. the individual whose data is processed). However, the law carves out certain exceptions to the general rule. Data processing without the consent is allowed where (1) it is necessary for a public interest; (2) the subject himself reveals such data to the public; (3) it is necessary for legal proceedings; (4) the processing is necessary for the protection of public health;, (5) necessary for archival purposes for scientific or historical studies; (6) necessary to perform a contract to which the data subject is party.
The law provides for several other exceptions involving the welfare of the data subject or where the data processing is necessary to comply with laws and regulations of the UAE.
Article 5 of the law provides clear guidelines for processing the data. It states that the data ought to be collected for a specific purpose and it cannot be processed for any other purpose incompatible with it. The important aspect of data collection here is that, only the data necessary to fulfill such a purpose is to be collected. Article 5 specifies that there must be compliance with appropriate technical and organizational measures to keep the personal data of a subject safe and secure to prevent any breach, infringement, or illegal processing.
The law poses an obligation to ensure that the data collected is correct with a need to have a mechanism to erase the data or correct any incorrect personal data. In a situation where the original purpose for which the personal data was collected stands fulfilled, there is an obligation to delete or erase the data collected.
Alternatively, the data can only be kept if the identity of the data subject is anonymized using the ‘Anonymization’ feature.
Article 6 sets out the conditions for consent to process data. The controller must be in a position to prove that consent of the data subject was obtained, the consent so given was in clear terms and the consent indicated the right of the subject to withdraw the same.
Article 13 of the law provides the Right to information to the data subject. The data subject can on request obtain information about (1) the types of his data which is processed (2) purpose of processing the data (3) process for correcting, erasing, or limiting the processing of data (4) protection measures for Cross border processing (5) process of filing a complaint with the data office.
The data subject has a right to request the transfer of personal data to another controller and a right to correct or erase his personal data. The right to the erasure of personal data is subject to public health, legal proceedings, or if the request to erase data conflicts with the law or any regulation.
The data subject also has a right to restrict data processing in cases where the accuracy of data is questionable and where the processing of data is for a purpose not agreed upon by him.
The data subject also has a right to stop the processing of his data if the processing of the data is (1) for direct marketing purposes including profiling, (2) for conducting statistical surveys (3) in direct violation of the processing rules established in the law.
The law also provides data subjects with a Right to object to a decision issued concerning Automated processing that has legal consequences or if the automated processing results in profiling.
The data subject can file a complaint with Data Office if he has reason to believe that any violation of law has taken place. The Data Office can impose penalties on controllers or processors for violating the law.
To know more, kindly contact us: