Resources

Contact

Call: +971 7 204 2131

Mon-Thu: 9AM-5PM, Fri: 9AM-2PM

Legal@tflc.ae

Book Appointment
Call us
Book Appointment

Understanding the UAE Data Protection Law

by | 23 Oct, 2024 | UAE Law | 0 comments

The United Arab Emirates (UAE) introduced the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, a pivotal mov that aligns the country  with global data protection practices, marking a significant milestone in the region’s data privacy landscape.

Scope of Law:

This law applies to the processing of personal data, either partially or entirely, by means of electronic systems that operate automatically, or by other means. The law covers the following instances: 

  1. Any Data Subject residing in the UAE or having a place of business in the UAE
  2. Any Controller or Processor residing in the UAE and carrying out the processing of Personal Data of Data Subjects both inside and outside the UAE 
  3. Any Controller or Processor residing outside the UAE but carrying out the processing of Personal Data of Data Subjects within the UAE.

Exemptions to Law:

Now, Certain categories are exempted from the data protection law and they are as follows: 

  1. Government Data: Data controlled or processed by governmental entities.
  2. Government Entities: Governmental entities that control or process Personal Data.
  3. Security and Judicial Authorities: Personal Data held by security and judicial authorities.
  4. Personal Use: Personal Data processed by an individual for personal, non-commercial purposes.
  5. Health Data: Personal Health Data, where specific legislation exists regulating its protection and processing.
  6. Banking and Credit Data: Personal banking and credit data, where specific legislation governs their protection and processing.
  7. Free Zone Entities: Companies and establishments located in free zones that are governed by special legislations for Personal Data protection.

What is Personal Data

The law defines personal data as any information that can directly or indirectly identify an individual, including names, identification numbers, and online identifiers. An important criteria by the law is the requirement for entities to obtain clear and explicit consent from individuals before collecting, processing, or storing their personal data. Consent must be informed, freely given, and specific, ensuring that individuals maintain control over how their data is used.

Key Entities in Data Processing

The law focuses on three main entities involved in data processing:

  1. Data Subject: The individual whose personal data is being processed.
  2. Data Processor: The entity that processes personal data on behalf of the controller.
  3. Data Controller: The entity that determines the purpose and means of processing personal data.

These definitions introduce significant responsibilities for businesses operating in the UAE, requiring them to revamp their data management practices. Failure to comply with the law may result in hefty fines, penalties, and reputational damage. 

Conclusion

The UAE Data Protection Law is a major step forward in aligning the country with global privacy standards. As the digital economy continues to grow, compliance with these regulations will be crucial for companies seeking to build trust with customers and maintain a competitive edge in the UAE’s evolving data landscape.