United Arab Emirates: Adopted Personal Data Protection Law

On 27 November 2021, the United Arab Emirates adopted the Personal Data Protection Law (PDPL) through Federal Decree-Law No. 45, a large legal reform. The PDPL applies to any organisation that controls or processes personal data which is either established in the UAE or handles personal data of subjects within the UAE. The PDPL establishes the lawful bases for personal data processing, namely consent, public interest, public health protection or the performance of a contract, as well as the principles of data processing, namely fairness, transparency, minimisation, accuracy, and security. Moreover, the PDPL introduces obligations regarding the presence of a Data Protection Officer in data processing organisations, the creation of a record of processing activities, mandatory data breach reporting and data protection impact assessments. Furthermore, the PDPL introduces the subjects' rights to data access, rectification, erasure and portability. Cross-border data transfers are allowed only with approved countries or in case of contractual necessity, public interest or data subject's request. Finally, the PDPL introduces the penalties in case of violations and delegates to the data office the enforcement of the PDPL. The PDPL does not cover the UAE’s financial free zones, which possess their own personal data regulations, and does not apply to data processed by public authorities as well as health, banking and credit data. The PDPL will enter into force on 2 January 2022 but it will not be implemented until six months after the publication of dedicated executive regulations.