United Arab Emirates: Entry into force with grace period of Personal Data Protection Law

The United Arab Emirates Personal Data Protection Law (PDPL) enters into force, but it will not be implemented until six months after the publication of dedicated executive regulations. The Law applies to any organisation that controls or processes personal data established in the UAE or that controls or processes personal data of subjects inside the UAE. The data processed by public authorities and health, banking and credit data are excluded from the PDPL scope. The Law establishes that the lawful bases for personal data processing can be consent, public interest, public health protection or the performance of a contract, and the data processing are required to follow the principles of fairness, transparency, minimisation, accuracy, and security. Therefore, the Law introduces obligations regarding the presence of a Data Protection Officer in data processing organisations, the creation of a record of processing activities, mandatory data breach reporting and data protection impact assessments. Moreover, the Law introduces the subjects' rights to data access, rectification, erasure and portability. The cross border data transfers are allowed only with approved countries or in case of contractual necessity, public interest or data subject's request. The Law does not cover the UAE’s financial free zones, which possess their own personal data regulations. Finally, the Law introduces the penalties in case of violations and delegates to the data office the enforcement of the Law.