United Arab Emirates - Federal Decree Law No. 45

Who is excluded from compliance with Law No. 45? 

Federal Decree Law No. 45 excluded several types of entities and of data, as follows:

• “government data;
• government authorities that control or process personal data;
• personal data held with security and judicial authorities;
• a data subject who processes his/her data for personal purposes;
• health personal data that is subject to legislation regulating the protection and processing thereof;
• banking and credit personal data and information that is subject to legislation regulating the protection and processing thereof;
• companies and institutions located in the free zones of the State and are subject to special legislation on personal data protection.”

In addition to this, Article 3 stipulates that the data protection authority, the Data Office, “may exempt those Establishments that do not process a large amount of personal data from all or some of the requirements and conditions of the provisions of personal data protection stipulated herein, in accordance with the standards and controls set by the Executive Regulations of this Decree Law.” As the Executive Regulations have yet to be published, it remains unclear what other exemptions there would be under UAE’s law.

How can I keep my organization compliant with Law No. 45? 

With the exception of the situations outlined in Article 4, personal data processing can only be performed with the data subject's consent. These situations include the necessity to protect public interest, the necessity “to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial or security procedures,” or special cases set by the Executive Regulations of the law, to name a few. Article 5 lists the personal data processing principles that controllers have to observe:

• “processing must be made in a fair, transparent and lawful manner.
• personal data must be collected for a specific and clear purpose, and may not be processed at any subsequent time in a manner incompatible with that purpose. However, personal data may be processed if the purpose of processing is similar or close to the purpose for which such data is collected.
• personal data must be sufficient for and limited to the purpose of the processing.
• personal data must be accurate and correct and must be updated whenever necessary.
• Appropriate measures and procedures must be in place to ensure erasure or correction of incorrect personal data.
• personal data must be kept securely and protected from any breach, infringement, or illegal or unauthorized processing by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard.
• personal data may not be kept after fulfilling the purpose of processing thereof. It may only be kept in the event that the identity of the data subject is anonymized using the ‘Anonymization’ feature.
• Any other controls set by the Executive Regulations of this Decree Law.”

Additionally, controllers have to be able to prove that they obtained the consent of the data subject, consent has to be given “in a clear, simple, unambiguous and easily accessible manner, whether in writing or electronic form,” and consent must also take into account the right of the data subject to withdraw consent at any time, which has to be easily made. 

As a data controller, under Article 7, you have the following obligations: 

• Take the appropriate technical and organizational measures and procedures to ensure the security and confidentiality of the personal data and avoid infringement, damage, alteration or tampering with, “taking into account the nature, scope and purposes of processing and the potential risks to the confidentiality and privacy of the personal data of the data subject.”
• Apply the appropriate measures to ensure that you respect the principles outlined in Article 5, such as pseudonymization.
• Apply the appropriate technical and organizational measures to ensure that the processing of personal data is limited to its intended purpose, in terms of amount and type of data, type of processing and the duration for storing the data.
• “Maintain a special record of personal data which must include the data of the controller and Data Protection Officer, as well as a description of the categories of personal data held thereby, data of the persons authorized to access such personal data, the processing durations, restrictions and scope, the mechanism of erasure, modification or processing of personal data, the purpose of processing and any data related to the movement and cross-border processing of such data, while indicating the technical and organizational procedures related to information security and processing operations, provided that the controller provides this record to the Office whenever requested to do so.”
• Appoint a data processor that offers sufficient guarantees for the application of technical and organizational measures that ensure meeting data processing requirements outlined in the text of the law, as well as subsequent decisions or the Executive Regulations. 
• Provide the data protection authority with any information requested.
• Fulfill any other obligations set by the Executive Regulations.

Added to this, according to Article 21, controllers have an obligation to conduct a data protection impact assessment “if the processing involves a systematic and comprehensive assessment of the personal aspects of the data subject based on automated processing, including profiling, which would have legal consequences or would seriously affect the data subject and if the processing will be made on a large amount of sensitive personal data.”

Data processors’ obligations are delineated by Article 8 as follows: 

• Conducting the processing “in accordance with the instructions of the controller and the contracts and agreements concluded between them that specify in particular the scope, subject, purpose and nature of the processing, the type of personal data and categories of data subjects.”
• Applying “the appropriate technical and organizational measures and procedures to protect personal data at the design stage [...] taking into consideration the cost of applying such measures and procedures and the nature, scope and purposes of the processing.”
• processing data according to the purpose and for the duration set beforehand and informing the controller an extension for processing is required.
• Deleting the personal data after the expiration of the processing period or handing the data back to the controller.
• Not disclosing any personal data or any results of processing except in cases permitted by law. 
• Ensuring the security of processing through appropriate security of the media and electronic devices used in the processing and the storing of personal data.
• Same as the data controller, maintaining “a special record of personal data processed on behalf of the controller, which must include the data of the controller, processor and Data Protection Officer, as well as a description of the categories of personal data held thereby, data of the persons authorized to access such personal data, the processing durations, restrictions and scope, the mechanism of erasure, modification or processing of personal data, the purpose of processing and any data related to the movement and cross-border processing of such data, while indicating the technical and organizational procedures related to information security and processing operations, provided that the processor provides this record to the Office whenever requested to do so.”
• Prove abidance to the provisions of this data privacy law, at the request of the controller or Office.
• Conduct data processing in accordance with the rules, requirements and controls set by this privacy law and the Executive Regulations, or as instructed by the data protection authority.
• If the processing involves more than one processor, the processing must be made in accordance with a contract or written agreement which clearly defines responsibilities and roles related to the processing.

Both the controller and the processor have an obligation to ensure the security of the personal data in their possession, according to Article 20, by establishing and taking appropriate technical and organizational measures and procedures to ensure achievement of the information security level that is commensurate with the risks associated with processing, in accordance with the best international standards and practices, which may include encryption or pseudonymization of data, for example. Also, both have an obligation to appoint a Data Protection Officer “who has sufficient skills and knowledge of personal data protection, in any of the following cases:

• if the Processing would cause a high-level risk to the confidentiality and privacy of the personal data of the data subject as a result of adopting technologies that are new or associated with the amount of data;
• if the processing will involve a systematic and comprehensive assessment of sensitive personal data, including profiling and automated processing;
• if the Processing will be made on a large amount of sensitive personal data.”

In the event of a data breach, controllers have an obligation to notify the data protection authority “upon becoming aware of any infringement or breach of the personal data of the data subject that would prejudice the privacy, confidentiality and security of such data,” within the period of time and in accordance with the procedures and conditions set by the Executive Regulations of the law. The notification has to include the nature, form, causes, approximate number and records of the infringement or breach; the data of the Data Protection Officer appointed; the potential and expected effects of the infringement or breach; the procedures and measures taken and proposed to be applied to address this infringement or breach and reduce its negative effects;  documentation of the infringement or breach and the corrective actions taken; and any other requirements by the data protection authority. 

Additionally, the controller has an obligation to inform the data subject of the breach in the event that this would prejudice the privacy, confidentiality and security of the data subject’s personal data and advise the data subject of the procedures taken, within the period of time and in accordance with the procedures and conditions set by the Executive Regulations of the law. If the data breach is with the data processor, they have an obligation to inform the data controller without undue delay so the latter can report it to the Office, as stated earlier. 

Cross border transfers are allowed where there is an appropriate level of protection and for cases where the receiving country does not have such an appropriate level of protection, the law stipulates that this is only allowed “pursuant to a contract or agreement that requires the establishment in those countries to implement the provisions, measures, controls and requirements contained in this law.”

What data access rights does Law No. 45 grant? 

Law No. 45 stipulates that data subjects have the following rights: 

• Right to access
• Right to data portability
• Right to correct 
• Right to delete
• Right to restrict or stop processing
• Right to object to automated decision-making
• Right to opt-out of direct marketing

How should organizations address data subject access requests under Law No. 45?

The law offers no timeline for answering data subject requests. It is expected that this will be clarified in the Executive Regulations that have yet to be published. 

Enforcement and penalties

The enforcing authority will be the Data Office, which will be established pursuant to Federal Decree Law No. 44 of 2021. However, there will be a 2 year period during which the Telecommunications and Digital Government Regulatory Authority (TDRA) will offer administrative and logistical assistance.

As regards penalties, the same Executive Degree that is still awaited will provide the relevant values for these. 

Data Subject Rights - GDPR vs. Law No. 45