Introduction

Personal Data means any data relating to an identified natural person or a natural person who can be identified, through the linking of data by reference to an identifiable information/data. The identifiers could be his or her name, voice, picture, physical or physiological information, cultural or social characteristics, electronic identifier, geographical location, and also includes biometric and sensitive personal data.

The Federal Law No. 45 of 2021 (“Personal Data Law”) has come into force from 2 January 2022 and its Executive Regulations have come into effect from 20 March 2022, ensuring confidentiality and security of Personal Data, and emphasizes the rights and duties of all concerned parties in this regard.

The Personal Data Law is aimed to govern the processing of Personal Data,

1. Of any Data Subject who are located or domiciled or has a place of business in the State; or
2. By any data controller or data processor who is established in the State and who processes Personal Data for Data Subjects who are within or outside the State; or
3. By any data controller or data processor who is not established in the State and who processes Personal Data for Data Subjects who are in the State.

However, the new law in the UAE does not apply to any governmental data, any government authorities which controls and process Personal Data, Personal Data in possession of security and judicial authorities, Data Subject who processes information relating to him for his personal use, health or credit data governed by their own respective legislation, and entities established in free zones with their own personal data protection laws.

The Personal Data Law defines,

1. Data Subject as a natural person to whom the Personal Data relates;
2. Controller as an establishment or natural person who possesses Personal Data and who controls the processing of Personal Data;
3. Processor as an establishment or natural person who processes the Personal Data for and on behalf of the Controller in accordance with the Controller’s instructions; and
4. Processing to mean a set of operations performed on the Personal Data, including but not limited to collecting, storing, recording, altering, distributing or destructing Personal Data.

Major points in the Personal Data Law

• The consent of the data subjects must be obtained before processing their Personal Data, with certain exceptions allowed which inter alia includes situations where it is necessary to protect the public interest, where the Personal Data is made publicly available by the Data Subject, for protecting the interest of Data Subjects for scientific or archival purposes, and where it is necessary to establish a legal claim or defense rights. The establishments which Process Personal Data should ensure that the consent obtained from the Data Subject is obtained under clear, simple and unambiguous formats, and should not violate the right of the Data Subject to withdraw his consent at any point of time.
• The Personal Data Law sets out the mandatory and necessary controls that are to be complied with, while Processing Personal Data. This includes collection of the Personal Data for a clear specific purpose, and non-usage of such Personal Data for any other purpose, and safe storage and protection of the Personal Data from any unlawful or unauthorized access or processing. Any establishments processing Personal Data should ensure that they have adequate mechanisms, including internal systems and resource controls, to ensure that the checks and measures for lawfully processing the Personal Data are in place.
• It is the responsibility of the Controller to take appropriate measures, technical as well as organizational, in order to impose the required standards to secure the Personal Data and to maintain a record of Personal Data Processed and containing such other details are specified in the Personal Data Law (which may be required to be provided to the Office, whenever requested). They should also ensure that the imposed measures are fulfilling its objectives,
• It is the responsibility of the Processor to process and implement the appropriate measures to protect the Personal Data as per the instructions of the Controller, to delete the data after the expiry of the processing period or to hand it over to the Controller, to maintain a record of the Personal Data of the Data Subject on behalf of the Controller etc.,
• The Controller, on becoming aware of any breach to the Personal Data, must inform the same to the Data Office which would “prejudice the privacy, confidentiality and security of the Personal Data of the Data Subject.” The Controller shall notify on such breach to the Data Subject and a detailed timeline for breach notification and necessary actions taken by it.
• A Data Protection Officer (DPO) shall be appointed by the Controller and the Processor (who may be an employee of the Controller/Processor, or authorized by them, from within or outside the State), who has sufficient skills and knowledge on protection of Personal Data in case of high level of risk to the confidentiality and security of the personal data being processed of the Data Subject.
• The Data Subject has inter alia the following rights:
  1. To obtain information and details carried out on their Personal Data without any consideration.
  2. To request the transfer of the Personal Data to another Controller, if technically feasible.
  3. To request the Controller to make any changes or correction of his Personal Data without any undue delay; and
  4. To restrict the Controller from processing the Personal Data in several cases.

• The Controller and the Processor must ensure that the procedures and measures taken to secure the Personal Data and the level of information is in accordance with the International standards and practice.
• Personal Data may be shared or transferred to another jurisdiction provided that such country shall have a special legislation for protection and security of Personal Data.

How to effectuate the personal data protection in an Organization

An Organization must:

• Classify the sensitive and Personal Data among their data inventories, categorically.
• Carry out an assessment to appoint the DPO.
• Upgrade the formal policies and procedures to collect and process the Personal Data , and accordingly make necessary updates in privacy policy as required.
• Have a strong data breach notification mechanism.
• Have a strategy to fulfill the stringent cross border requirements under the Law, by mapping their process and determine the cross-border data flows from UAE to other countries’ jurisdiction.
• Have an exhaustive framework to cater the data subject requests.
• Have a proper track record of data processing activity and produce a Recording of Processing Activity (ROPA) report.
• Have  proper technical and organizational security measures in order to protect their processing and security activities.
• Conduct different assessments  for personal information protection, for vendors, and any other risk assessments.