United Arab Emirates: Federal Decree by Law No. 45 Concerning Protection of Personal Data enters into force

On 2 January 2022, the Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data entered into force. The Decree by Law applies to controllers and processors in the UAE and to those outside the UAE that process personal data of UAE data subjects. Governmental entities, health data, banking and credit data, and companies in free zones with dedicated personal data legislation are excluded. The Decree by Law requires controllers to process personal data lawfully and for specific purposes, maintain processing records, appoint a data protection officer where processing poses a high risk or involves large volumes of sensitive data, conduct impact assessments before high-risk processing operations, and notify the UAE Data Bureau (the Bureau) and affected data subjects of breaches. Processors must follow controller instructions and erase data upon expiry of the processing period. Data subjects are granted rights to access, correct, erase, restrict, transfer and object to automated processing of their personal data. Personal data may be transferred outside the UAE to Bureau-approved jurisdictions or, absent adequacy approval, under contractual safeguards, explicit data subject consent, or where necessary for legal claims or the public interest. The Bureau, established under Federal Decree by Law No. (44) of 2021, serves as the supervisory authority, receives and examines data subject complaints, and imposes administrative penalties where violations are established. The Bureau may exempt establishments that do not process large volumes of personal data from some or all requirements of the Decree by Law.