The United Arab Emirates has passed two federal laws for data protection which introduce key principles of international best practice for the protection of personal data.
UAE Federal Decree Law No 45 of 2021, Regarding the Protection of Personal Data (“PPD Law”) came into effect on 2 January 2022, with Executive Regulations expected in March 2022. There will be a six month window from March for compliance (the ‘compliance window’).
The UAE Federal Decree Law No 44 of 2021, Creation of the UAE Data Office established the Data Protection Office to issue guidance and oversee compliance.
Compliance with the law involves an understanding of both the obligations imposed upon parties processing data and the corresponding rights of individuals.
The principles which underlie this legislation require that Personal Data must be:
processed in a fair, transparent and lawful manner;
both collected and processed for a specific purpose;
accurate and regularly updated;
deleted or anonymised when no longer required or on request from the individual;
Businesses must not only think about how and why they collect Personal Data, but they must also ensure that the data is protected and regularly reviewed. They cannot be satisfied that they are complying with the legislation purely because they have obtained the consent of an individual (i.e. the “box ticking” scenario). There must be active, ongoing housekeeping in place to ensure that the principles set out above are being met.
We recommend businesses use the compliance window to carry out an internal audit. We have identified 6 steps:
identify the Personal Data within their organisation,
identify how the data is obtained and processed,
identify any third parties who process data on their behalf, known as Processors,
identify any international data transfers,
establish internal procedures to safeguard the personal data,
establish internal procedures to manage individual personal data requests.
As part of the internal procedures, the business should appoint a Data Protection Officer.
To carry out this audit the business must understand what and who is captured by the PPD Law. A look at the key defined terms is helpful:
What is Personal Data?
Personal Data includes any data relating to a specific natural person or relating to a natural person that can be identified directly or indirectly by linking the data or through the use of identification elements such as names, voices, pictures, identification numbers, electronic identifiers, geographical locations, or one or more of physical, physiological, economic, cultural or social characteristics, including Sensitive Personal Data and Biometric data.
Sensitive Personal Data is any data that directly or indirectly discloses the family or ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data of a natural person, or any data relating to a person’s health.
Biometric data is personal data resulting from processing using a specific technology relating to the physical, physiological or behavioural characteristics of the inividual, which allows the identification or confirmation of the unique identification of the individual, such as facial image or fingerprint data.
What is not included? The legislation does not regulate personal health data and information, or personal banking and credit data where such data is covered under separate legislation.
What does Processing data cover?
Processing includes any operation or set of operations performed on Personal data using any electronic means, including “processing” and “other means” which include collection, storage, recording, organizing, adapting, modifying, circulating, recovering, exchange, sharing, using, characterizing or disclosing of personal data by broadcasting, transmitting, distributing, making available, formatting, merging, limiting, hiding, erasing, destroying, or creating forms for these data.
Who does the law apply to?
The law applies to both Controllers and Processors.
A Controller is any entity which is processing Personal Data. It can be an individual or an organisation. The entity determines the method and criteria for processing the Personal Data and the purpose.
Who is not included? Governmental authorities, security and judicial authorities. Entities which fall within the UAE free zones have separate data protection laws – Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC).
A Processor is any third party who is processing personal data on the instruction of the Controller.
It is evident that any business operating with employees, clients and/or an online presence will not be able to escape the scope of this legislation.
1. Identifying Personal Data
With the all-encompassing definition of personal data, the internal audit must identify Personal Data from all corners of its organisation. Data should be collated from employees, third party contractors or consultants, clients and customers, potential customers or clients through marketing data and any online presence which stores data from browsers.
The law applies to Personal Data of individuals residing or working in the UAE (‘UAE Personal Data’). It applies to (1) all Controllers and Processors located in the UAE regardless of where the individual lives or works, in the UAE or abroad and (2) all Controllers or Processors located outside of the UAE who are processing UAE Personal Data.
The legislation places obligations on the Controller to ensure that processing of Personal Data must be carried out in a fair, transparent and lawful manner.
Consent is key to lawful processing subject to certain exemptions. Consent must be made through a positive action and not implied. This means an individual must actively agree by signing a document or electronically tick a box. The individual must be made aware that they can withdraw consent at any time.
The main exceptions which allow processing without consent are:
public interest concerns,
the individual has made the information publicly available,
processing is necessary to protect the interests of the Data Subject
processing is necessary to carry out obligations relating to employment or social protection
processing is necessary to implement a contract to which the Data Subject is a party, or to take measures at the request of the Data Subject with the aim of concluding, amending or terminating a contract,
processing is necessary to carry out specific obligations in other laws in the state of the Controller.
As mentioned above, the Personal Data must be collected for a specific reason. It must be accurate and kept up to date. It must be held securely. It must be deleted when no longer needed or anonymised so that it cannot be linked to the individual.
The Controller must identify Processors, any third parties who are processing Personal Data on their behalf.
There must be a signed written agreement in place clearly determining the Processor’s obligations, responsibilities and roles. Processors must apply appropriate technical and security procedures, and the same obligations are placed on the Processor to ensure that the information is accurate, specific for the purpose, and deleted or returned to the Controller when appropriate. Processers must also keep a record of the Personal Data processed and be able to provide details of the processing and the safeguards in place to prove compliance.
4. Data Transfers
Businesses must establish if any Personal Data is transferred out of the UAE and if so, where to. Under the PPD Law, Personal Data may be transferred to another country, provided the country has adequate levels of protection to safeguard the data. A list of countries is expected to be published.
If there is not an adequate level of protection in the relevant country, there are a number of exemptions which would allow a transfer. Data can be transferred with the express consent of the individual, or if the transfer is necessary for the conclusion or implementation of a contract between the Controller and the individual, or between the Controller and third parties to further the individual’s interest. We expect further guidance on these provisions to follow.
Confidentiality and privacy are key. The business must take steps to ensure that the Personal Data is securely maintained, and appropriate technical and organisational measures and procedures are implemented to protect the Personal Data from being breached, destroyed, altered or tampered with. The Controller must also assess the effect of proposed processing operations on the Personal Data protection, when using any technologies that would pose a high risk to the privacy and confidentiality of the Personal Data – a high impact assessment.
6. Dealing with Data requests
The PPD Law lists the information which must be provided to an individual, and also the requests an individual can make. These include the right to know the data held, and how that data is processed. The individual has the right to request that the data is transferred to another Controller. There is also the right to request that the data is deleted or that processing is restricted or stopped. Businesses must have internal procedures in place which would allow them to process these requests, identify the data and provide an appropriate response.
This is a brief introduction to the new legislation. If data protection principles are new to a business, the compliance window is the key time to become familiar with the issues and implement the necessary steps to ensure that there are fully complying with the PPD Law. As we have highlighted above, there are obligations at every step of the process beginning with how the data is obtained, who the data can be shared with, how the data is used, how the data is stored and how the data is deleted.
We recommend carrying out a Data Protection audit of the business to identify what Personal Data is being processed, what internal procedures are currently in place and what additional steps are needed to meet the gap for compliance now and on an ongoing basis.
Rouse can offer internal training seminars to help businesses understand in more detail how to achieve data protection compliance.