Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UAE - Data Protection Overview
Back

UAE - Data Protection Overview

April 2024

1. Governing Texts

The United Arab Emirates (UAE) published its first federal level data protection law Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (the PDPL) on September 20, 2021. The PDPL will be enforceable six months after the associated executive regulations (the Executive Regulations) are issued. The Executive Regulations (which we expect to set out a lot of the practical and operational details of the PDPL) were stated to be issued within six months from the date of issuance of the PDPL (i.e., by March 20, 2022), meaning enforcement was intended to commence after September 20, 2022. Notably, however, the UAE Data Office (the Data Office) reserves the right to extend the enforcement date and there has also been a delay in the issuance of the Executive Regulations. For now, therefore, this overview has been prepared based on our own current interpretation and understanding of the PDPL. However, it is important to note that this overview will be revisited and revised once the Executive Regulations have been published.

Aside from the PDPL, the Constitution of the UAE (only available in Arabic here) (the Constitution) gives citizens a general right to privacy, and provisions of Federal Law No. 5 On the Civil Transactions Law of the United Arab Emirates State (the Civil Code) is also relevant when considering privacy-related issues. Elsewhere, sector-specific regulations (such as the telecommunications, consumer protection, consumer finance, and cybercrime laws) also provide some limited data protection rights in certain circumstances and contexts.

The UAE plays host to a number of special economic zones known as 'free zones', which offer tax, customs, and other benefits to businesses. Of these free zones, the Dubai International Financial Centre (DIFC), the Abu Dhabi Global Market (ADGM), and the Dubai Healthcare City (DHCC) have each enacted separate data protection laws applicable to businesses operating in the relevant zone.

1.1. Key acts, regulations, directives, bills

The PDPL is the generally applicable federal data protection law and applies broadly to the processing of personal data. Thus, unless expressly excluded from its application, all controllers and processors (as each term is defined below) of personal data must comply with the provisions of the PDPL.

Article 31 of the Constitution is considered to represent the general right to privacy for citizens of the UAE, where it provides for the right to freedom and secrecy of communication by post, telegraph, or other means of communication under the law.

The Civil Code is also relevant. The Civil Code sets out certain obligations on employers when dealing with employee information, particularly on the termination of an employee's employment (Article 913 of the Civil Code) and, separately, provisions on the basis for non-competition agreements where employees have access to their employer's confidential information and/or client information (Article 909 of the Civil Code).

Telecommunications Law and Consumer Protection Regulations

Article 72(6) of Federal Law by Decree No. 3 of 2003 Regarding the Organisation of the Telecommunication Sector (the Telecommunications Law) provides that a person who intercepts the contents of telephone calls without prior permission by the competent judicial authorities may be punished with imprisonment for a period of not more than one year and/or a fine of not less than AED 50,000 (approx. $13,613) and not more than AED 200,000 (approx. $54,454) If a licensed operator reasonably believes that equipment is being used for the interception of telephone calls contrary to Article 72(6) of the Telecommunications Law, it may place the equipment under surveillance (Article 75 of the Telecommunications Law). Orders may also be issued for the seizure or destruction of the relevant equipment (Article 76 of the Telecommunications Law).

There are also requirements that derive from the Telecommunications Law with which only licensed operators are required to comply. 'Licensed operator' in the context of the Telecommunications Law means a business with a specific operator license from the Telecommunications and Digital Government Regulatory Authority (TDRA), the authority which oversees the telecommunications sector in the UAE.

Under powers granted to it by the Telecommunications Law, the TDRA has issued the Consumer Protection Regulations (CPR). Article 12 of the CPR seeks to ensure the protection of data relating to 'subscribers', or persons who contract with licensed operators for the supply of telecommunications services in the UAE. 'Subscriber information' is defined as 'any information relating to a specific subscriber', which includes a person's personal details, service usage details, the content of communications, account status, and payment history.

Licensed operators are subject to a number of obligations, including to take all reasonable and appropriate measures to protect the privacy of subscriber information (whether in paper or electronic form) and prevent its unauthorized disclosure or use (Articles 18.1 and 18.3 of the CPR). In addition, where it is necessary for a licensed operator to provide subscriber information to a third party that is directly involved in the supply of telecommunication services, the operator must require the third party to:

  • take all reasonable and appropriate measures to protect the confidentiality and security of the subscriber information; and
  • use the subscriber information only to the extent required to provide the relevant telecommunication service (Article 18.8 of the CPR).

Cybercrime Law

Article 2 of  Federal Decree-Law No. 34/2021 Concerning the Fight Against Rumors and Cybercrime (the Cybercrime Law) provides that anyone who hacks a website, electronic information system, information network or information technology method shall be sentenced to detention (the period is not specified) and/or a fine not less than AED 100,000 (approx. $27,227) and not in excess of AED 300,000 (approx. $81,681). There are also higher monetary penalties and mandatory minimum imprisonment sentences where:

  • the hacking creates damage, destruction, disruption, or interruption of a website, electronic information system, an information network, or information technology method, or removes, deletes, destroys, discloses, damages, modifies, copies, publishes or republishes, captures or breaches the confidentiality of any data or information; or
  • the purpose of hacking is to capture data or information to fulfill an illegitimate purpose.

Article 6 of the Cybercrime Law provides that any person who obtains, acquires, modifies, damages, discloses, leaks, cancels, deletes, copies, publishes, or re-publishes electronic personal data or information without authorization by using information technology or information technology methods shall be sentenced to detention for a period of not less than six months and/or to pay fine of not less than AED 200,000 (approx. $54,454) and not more than AED 100,000 (approx. $27,227). Further, an offense under Article 6 of the Cybercrime Law relates to information concerning medical examinations, diagnoses, treatment, care or records, or bank accounts or data and information of e-payment methods, which are deemed to be aggravating circumstances.  It is also an offense to employ information technology to collect, keep, or process personal data and information of the nationals or the residents of the UAE in violation of UAE law, and such an offense is punishable by detention (detention period not specified) and/or a fine of not less than AED 50,000 (approx. $13,613) and not more than AED 500,000 (approx. $136,130).

Where a person takes prohibited actions with respect to government data and information or the data of financial, commercial, or electronic establishments, the Cybercrime Law mandates stricter penalties:

  • Article 7 of the Cybercrimes Law provides that anyone who obtains, acquires, modifies, damages, discloses, leaks, cancels, deletes, copies, publishes or re-publishes confidential government data or information without authorization shall be sentenced to provisional imprisonment for a period of not less than seven years and to pay a fine of not less than AED 500,000 (approx. $136,130) and not more than AED 3 million (approx. $816,816); and
  • Article 8 of the Cybercrimes Law provides that anyone who obtains, acquires, modifies, damages, discloses, leaks, cancels, deletes, alters, copies, or publishes or re-publishes confidential data or information of financial, commercial, or economic establishment without authorization by using information technology or an information technology method shall be sentenced to provisional imprisonment for a period of not less than five years and/or a fine of not less than AED 500,000 (approx. $136,130) and not more than AED 3 million (approx. $816,816).

Commercial Transactions Law

Articles 25 to 35 of Federal Law No. 50 of 2022: Commercial Transactions Law (the Commercial Transactions Law) set out detailed provisions relating to the maintenance of commercial books. For instance, Article 29 of the Commercial Transactions Law, requires the trader to keep exact copies of the originals of all correspondence telegrams and invoices sent or issued by them for the purpose of their business activities, as well as all incoming correspondence (originals), telegrams, invoices, and other documents related to their trade, for a minimum period of five years from the date of issue or receipt.

Health Data Law

In the UAE, Federal Law No. 2 of 2019 on the Use of the Information and Communications Technology (ICT) in Health Fields (the Health Data Law) was enacted in May 2019, introducing noteworthy obligations around the collection, processing, and transfer of health data (as defined below) by a broad range of entities, including healthcare providers, medical insurance providers, healthcare IT providers, and providers of direct and/or indirect services to the healthcare sector (for example outsourced services, including cloud services) located onshore, in the DHCC, and in the free zones (Health Service Providers).

The Health Data Law seeks to protect health data in line with international best practice, as well as enabling the UAE's Ministry of Health both greater control over the sensitive data of its residents (as opposed to potentially putting it at risk in other jurisdictions) and a greater ability to collect and analyze health data in order to improve public health initiatives.

Following its enactment in May 2019, the Health Data Law has since been supplemented by additional regulations concerning the use of technology in the UAE healthcare sector in the form of Cabinet Resolution No. 32 of 2020 Concerning the Executive Regulation of the Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology in the Areas of Health (the Resolution). The focus of the Resolution is on the Central Healthcare IT System (the System) – one of the key changes introduced by the Health Data Law. While the Resolution sets out control requirements that are to be complied with for the security and accuracy of health data stored electronically, restrictions on disclosure of health data without prior approval, and instills rights to patients to withdraw from the System, gaps in the Health Data Law still remained due to which, the UAE community still sought for further clarity on issues introduced in the Health Data Law.

In May 2021, the UAE Federal Government issued Ministerial Decision No. 51/2021 on the Case of Allowing the Storage and Transfer of Medical Data and Information Out of the State (only available in Arabic here) (the Decision) to clarify concepts of the Health Data Law relating to restrictions on the collection, processing, and transfer of health data by a broad range of entities across the UAE. The Decision introduces exceptions to the general restriction on extraterritorial data transfers with related conditions and obligations attached. The Decision therefore provides further clarity to businesses in relation to the storage and transfer of health data and signifies a further step taken by the UAE to regulate personal data in accordance with the best international standards.

1.2. Guidelines

There are no relevant guidelines in this area at present.

1.3. Case law

There is no relevant case law in this area at present.

2. Scope of Application

2.1. Personal scope

The PDPL applies to identified or identifiable natural persons.

2.2. Territorial scope

The PDPL has extra-territorial effect and applies to:

  • every data controller or data processor in the UAE who processes personal data of data subjects inside or outside the UAE; and
  • every data controller or data processor established outside the UAE carrying out processing activities in relation to data subjects located within the UAE.

2.3. Material scope

The PDPL applies to the processing of personal data. 'Processing' is defined broadly as any operation or set of operations which are performed on personal data, including the collection, storage, recording, organization, adaptation, modification, circulation, alternation, retrieval, exchanging, sharing, use, characterization, disclosure by transmission, dissemination, distribution, or otherwise making available, alignment or combination, restriction, withholding, erasure, destruction, or creating models of personal data.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The supervising authority responsible for overseeing the enforcement of the PDPL is set to be the Data Office which is established under the separate Federal Decree-Law No. 44 of 2021 (Law No. 44/2021) issued contemporaneously with the PDPL. However, for the first two years of its operation, we understand that the TDRA will provide administrative and logistical support.

3.2. Main powers, duties and responsibilities

Article 3 of Law No. 44/2021 sets out the powers and duties of the Data Office which include:

  • proposing and preparing the policies, strategies, and legislations related to the affairs of data protection and supervising their implementation;
  • conducting the investigations necessary for ensuring compliance with data protection law;
  • receiving complaints and grievances concerning data protection; and
  • verifying them with all competent bodies.

The Data Office shall also appoint a director general whose mandate will include certain duties related to the daily operation of the Data Office.

4. Key Definitions

Data controller: A controller is the entity that obtains personal data and who, determines, the method, means, criteria and purposes of the processing of such personal data.

Data processor: A processor is the entity that processes personal data on behalf of the controller, where such processing is being carried out under the supervision of, and as directed by, the controller.

Personal data: Personal data is any information relating to an identified natural person or to a natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, voice, photo, an identification number, an online identifier, location data or to one or more factors specific to the physical, physiological, economic, cultural, or social identity of that natural person.

Sensitive data: Sensitive data is any information that reveals, either directly or indirectly, a natural person's family, racial origin, political, philosophical, or religious beliefs, criminal records, biometric data, or any information concerning the health of such person, including the physical, psychological, mental, genetic, or sexual status of such person, including the provision of health care services, which reveals information about his or her health status.

Health data: The PDPL does not define health data, however, health data is defined broadly under the Health Data Law to include all electronic data originating in the UAE regardless of its form, including alpha-numerical identifiers, common procedural technology codes, diagnosis and treatment, images produced by medical imaging technology, information collected during consultation, lab results, and names of patients.

Biometric data: Biometric data is personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a data subject, which allow or confirm the unique identification of that data subject, such as facial images or dactyloscopic data.

Pseudonymization: Pseudonymization is the processing of personal data in such a manner that the personal data processed as such can no longer be attributed to the data subject without the use of additional information, provided that such additional information is kept separately and safely and is subject to the technical and organizational measures provided for in the PDPL to ensure that the personal data are not attributed to an identified or identifiable natural person.

Data protection officer: A natural or legal person appointed by the controller or processor to monitor the compliance of such officer's employer with the controls, requirements, procedures, and rules of the processing and protection of personal data provided for in the PDPL, and to ensure the integrity of the systems and procedures to ensure compliance with the provisions thereof.

5. Legal Bases

5.1. Consent

Consent of the data subject is the primary legal basis for processing personal data under the PDPL.

5.2. Contract with the data subject

A controller and/or processor may process personal data without the consent of the data subject to which the data relates where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject for entering into, amending or terminating a contract (Article 4 of the PDPL).

5.3. Legal obligations

A controller and/or processor may process personal data without the consent of the data subject to which the data relates where processing is necessary for the performance by the controller of specific obligations prescribed by UAE law (Article 4 of the PDPL).

5.4. Interests of the data subject

A controller and/or processor may process personal data without the consent of the data subject to which the data relates where processing is necessary to protect the interest of the data subject (Article 4 of the PDPL).

5.5. Public interest

A controller and/or processor may process personal data without the consent of the data subject to which the data relates where processing is necessary for the protection of the public interest (Article 4 of the PDPL).

5.6. Legitimate interests of the data controller

Legitimate interest does not currently feature as a lawful basis for processing personal data under the PDPL.

5.7. Legal bases in other instances

Article 4 of the PDPL provides several additional legal bases for processing personal data, including where processing is necessary for:

  • the exercise of legal rights or relates to judicial or security measures;
  • protecting public health;
  • assessing the working capacity of the employee or the provision of health or social care; and/or
  • archiving or scientific or historical research purposes.

A controller or processor may also process personal data without the consent of the data subject to which the data relates where the data has been made public by the data subject (Article 4 of the PDPL).

6. Principles

While the PDPL does not explicitly reference the principles of data protection, the law nonetheless codifies several of the most commonly recognized principles. For example, Article 5 of the PDPL provides that personal data must be processed in accordance with the following rules:

  • processing shall be performed lawfully, fairly, and in a transparent manner (i.e., the principle of lawful, fair and transparent processing);
  • personal data must be adequate and limited to what is necessary in relation to the purpose for which it is processed (i.e., the purpose limitation principle); and
  • personal data shall be accurate and, where necessary, kept up to date (i.e., the adequacy principle).

7. Controller and Processor Obligations

7.1. Data processing notification

Not applicable.

7.2. Data transfers

Article 22 of the PDPL prohibits the transfer of personal data to a country or territory outside the UAE unless that country ensures an 'adequate level of protection' for the rights and freedoms of data subjects in relation to the processing of personal data. Where this is not the case, Article 23 of the PDPL provides various exemptions/derogations through which personal data can lawfully be transferred across borders, including:

  • creating adequate protection through appropriate safeguards (for example by putting in place a contract or agreement that requires recipients in third countries to implement the measures required by the PDPL) – this is likely to be Standard Contractual Clauses (SCCs);
  • the data subject has explicitly consented (and the transfer does not conflict with the public and security interests of the UAE);
  • the transfer is necessary to establish, exercise, or defend legal claims; or
  • the transfer is necessary to perform a contract between the controller and the data subject, or the controller and a third party to achieve the data subject's interest.

Further information relating to cross-border transfers, including potentially a list of jurisdictions deemed as providing an 'adequate level of protection,' is expected to be included in the Executive Regulations once issued.

7.3. Data processing records

Article 7(4) of the PDPL requires controllers to maintain a register of personal data processing which should include the following:

  • details of the controller and data protection officer;
  • categories of the personal data kept by the controller;
  • details of persons authorized to access the personal data;
  • duration, restrictions, and scope of processing;
  • mechanisms for erasure, modification or processing of personal data;
  • the purpose for processing;
  • any details on cross-border processing and movement of the personal date; and
  • technical and organizational measures relating to information security and processing operations.

In addition, under Article 8(7) of the PDPL, processors are also required to maintain a similar register but must also include details of the controller on whose behalf personal data is processed.

7.4. Data protection impact assessment

Under Article 21 of the PDPL, where a type of processing using new technologies that is likely to result in a high risk to the privacy and confidentiality of the personal data of a data subject, the controller is required to conduct a Data Protection Impact Assessment (DPIA) prior to the processing.

In particular, the PDPL notes in Article 21(2) that the obligation to conduct a DPIA applies in the following circumstances:

  • if conducting a systematic and comprehensive assessment of data subjects based on automated processing, including profiling, and has legal consequences or serious impacts on data subjects; or
  • if the processing is conducted on a large scale amount of sensitive personal data.

Where required, the DPIA shall contain, amongst other things an assessment of:

  • a clear explanation of the nature of the processing activity concerned and the purpose(s) thereof;
  • an assessment of the necessity of the processing in relation to its purpose;
  • an assessment of the potential risks on the protection of personal information of data subjects; and
  • the suggested measures to mitigate the potential risks of such processing activities.

Furthermore, controllers must review the outcomes of DPIAs periodically to ensure that processing activities are conducted in accordance with the assessment in the event that the level of risk changes (Article 21(5) of the PDPL).

7.5. Data protection officer appointment

Pursuant to Article 10 of the PDPL, a controller and processor must designate a data protection officer (DPO) where:

  • a type of processing that uses new technologies (or based on the scale of data) is likely to result in a high risk to the confidentiality and privacy of the personal data of a data subject;
  • processing includes systematic and extensive evaluation of sensitive personal data, including profiling and automated processing; and/or
  • processing is performed on a large scale of sensitive personal data.

In addition, the appointed DPO must be equipped with the skills and know-how for safeguarding personal data (Article 10(1) of the PDPL). In this regard, the DPO can be an employee of the controller or processor, or another individual appointed by the organization, either within or outside of the UAE (Article 10(2) of the PDPL).

Notification

The controller or processor must determine a contact address for the DPO and inform the Data Office of the same (Article 10(3) of the PDPL).

Moreover, controllers and processors must include details of the DPO in their record of processing activities (ROPAs) as required by Articles 7(4) and 8(7) of the PDPL.

Role

The DPO shall, amongst other things, ensure compliance by the controller or the processor with the provisions of the PDPL, its Executive Regulations, and any instructions issued by the Data Office.

More specifically, the PDPL outlines the DPO's responsibility for ensuring the controller or processor's compliance with the PDPL and its Executive Regulations, and details the roles and tasks of the DPO, which include the following (Article 11(1) of the PDPL):

  • check the existence and effectiveness of the measures implemented by the controller or processor;
  • receive data subject requests under the provisions of the PDPL and its Executive Regulations;
  • provide guidance for assessing the effectiveness of measures in place, conducting periodic assessments, and documentation of the results of such assessments, and provide appropriate advice in relation to the same, including impact assessments of processing;
  • be the point of contact between the controller or processor and the Data Office for compliance with the provisions of the PDPL; and
  • any other roles and responsibilities outlined by the Executive Regulations to the PDPL.

Furthermore, the PDPL outlines the DPO's obligation to maintain the confidentiality of personal information in conducting their role subject to the provisions of the PDPL and the Executive Regulations (Article 11(2) of the PDPL). Additionally, the PDPL states that data subjects may directly contact the DPO with regard to all issues related to the processing of their personal data so they can exercise their rights under the Law (Article 12(2) of the PDPL).

Notably, the PDPL outlines controller and processor obligations toward DPOs and notes that resources should be made available to DPOs to guarantee they are able to carry out their responsibilities under the provisions of the PDPL, and particularly notes the following requirements (Article 12 of the PDPL):

  • the DPO must be included at a convenient time in all matters in relation to the protection of personal information;
  • the DPO must be provided with the resources and support necessary to execute their role;
  • the DPO must not be penalized for carrying out any of their duties in accordance with the Law; and
  • the DPO must not be placed in a position that leads to a conflict of interest in their role within the organization.

7.6. Data breach notification

In the case of a data breach that would prejudice the privacy, confidentiality and security of the personal data of a data subject, Article 9 of the PDPL requires that, the controller, immediately upon becoming aware of such breach, notify the Data Office of such data breach. The required notification must include details such as:

  • the nature, form, causes, approximate number and records of the data breach
  • a description of the likely consequences of the data breach; and
  • a description of the measures and remedial action taken by the controller to address the data breach.

The Executive Regulations are expected to set out the relevant time periods, procedures, and conditions for reporting a personal data breach.

7.7. Data retention

Organizations must not store personal data after the completion of the purpose for which such data was processed unless the identity of the data subject is no longer identifiable through the use of anonymization techniques.

7.8. Children's data

There are no specific provisions in the PDPL regulating the processing of children's data.

7.9. Special categories of personal data

In certain instances, the PDPL mandates a heightened level of protection for sensitive personal data. For example, Articles 10 and 21 of the PDPL provide that where processing is carried out on a large scale of sensitive personal data, the controller and/or processor must complete a DPIA and designate a DPO.

7.10. Controller and processor contracts

Article 8 of PDPL requires that the processor perform and implement the processing of personal data based on the instructions of the controller and in accordance with the contracts and agreements entered into between them, which shall specifically set out the scope, subject matter, purpose, and nature of the processing, the type of personal data, and categories of data subjects.

8. Data Subject Rights

8.1. Right to be informed

Article 13(2) of the PDPL requires that a controller, prior to the start of processing activities, provide the data subject with at least the following information:

  • the purposes of the processing;
  • the sectors or entities inside or outside the UAE with whom their personal data will be shared; and
  • the appropriate safeguards used by the controller in the context of cross-border processing.

8.2. Right to access

Data subjects also have the right, under Article 13(1) of the PDPL, to obtain additional information upon their request, including:

  • the types of personal data of the data subject being processed;
  • the purposes of the processing;

  • the decisions made on the basis of automated processing, including profiling;
  • the targeted sectors or entities inside or outside the UAE with whom their personal data will be shared;

  • the rules and criteria of the periods for which the personal data will be stored and kept;
  • the procedures for the rectification, erasure, or restriction of processing and objecting to the data subject's personal data;

  • the appropriate safeguards for cross-border processing;

  • the measures to be taken upon the occurrence of a data breach; and
  • how to lodge a complaint with the Office.

The controller may reject the request of the data subject to obtain the information outlined in Article 13(1) of the PDPL if it appears to the controller that (Article 13(3) of the PDPL):

  • the request is not related to the information referred to in Article 13(1) of the PDPL or is excessively repetitive;
  • the request conflicts with judicial proceedings or investigations carried out by the competent authorities;
  • the request may negatively affect the efforts by the controller to protect information security; or
  • the request affects the privacy and confidentiality of the personal data of a third party.

8.3. Right to rectification

Data subjects have the right under Article 15 of the PDPL to obtain from the controller the rectification of inaccurate personal data concerning them, and to have incomplete personal data completed without undue delay.

8.4. Right to erasure

Article 15 of the PDPL provides data subjects with the right to request that a controller delete personal information concerning them in the following circumstances:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or processed; 
  • the data subject withdraws their consent or objects to processing, and there are no legitimate grounds for the controller to continue the processing; and/or
  • the personal data have been processed in violation of the provisions of the PDPL and the applicable legislation and have to be erased to comply with the applicable legislation and approved standards.

The right to erasure applies without prejudice to legislation in force in the UAE and dictates public interest (Article 15(2) of the PDPL). Furthermore, data subjects are not entitled to request the erasure of their personal data in the following cases:

  • if the request is related to the erasure of their personal data related to public health in private facilities:
  • if the request affects the investigation procedures and claiming and defending rights;
  • if the request contradicts other legislations to which the controller is subject; and/or
  • any other cases determined by the executive regulation of the PDPL. 

8.5. Right to object/opt-out

Under Article 17 of the PDPL, data subjects have the right to object to and suspend to the processing of their personal data where the:

  • the processing is performed for direct marketing purposes; 
  • the processing is performed for statistical survey purposes; and
  • the processing is performed in violation of the provisions of Article 5 of the PDPL.

8.6. Right to data portability

Under Article 14 of the PDPL, data subjects have the right to have their personal data transmitted to another controller where technically feasible. The data subjects have the right to receive the personal data they have provided to a controller for processing in a structured and machine-readable format where the processing is based on the consent of the data subject or is necessary to fulfill a contractual obligation and implemented by automated means.

8.7. Right not to be subject to automated decision-making

Article 18 of the PDPL provides data subjects with the right to object to decisions based on automated processing, including profiling, particularly those decisions which have a legal impact on or adversely affect the data subject.

The data subject does not have the right to object to decisions based on automated processing where the automated processing is (Article 18(2) of the PDPL):

  • agreed upon in a contract between the data subject and the controller;
  • required under any other legislation in force in the UAE; or
  • based on prior consent by the data subject in accordance with Article 6 of the PDPL.

Where the right to object does not apply, controllers must implement appropriate measures to safeguard the privacy and confidentiality of the data subject's personal data and not cause any prejudice to their rights (Article 18(3) of the PDPL).

Furthermore, data subjects have the right to request human intervention from the controller to review decisions based on automated processing (Article 18(4) of the PDPL).

8.8. Other rights

Right to restrict processing

Data subjects have the right to oblige the controller to restrict and  stop processing in any of the following cases (Article 16(1) of the PDPL):

  • data subject has objected to the accuracy of the personal data, in which case the processing will be restricted for a period, enabling the controller to verify the data accuracy ;
  • the data subject has objected to the processing of their personal data in violation of the agreed-upon purposes; or
  • the processing is carried out in violation of the provisions of the PDPL and the applicable legislation.

The data subject has the right to request the controller to continue to keep their personal data after the completion of the processing purposes when such data is necessary to complete procedures related to claiming or defending rights and lawsuits (Article 16(2) of the PDPL).

Notwithstanding what is stated under Article 16(1) of the PDPL, the controller may proceed with the processing of the personal data of the data subject without their consent if the processing is:

  • limited to storing personal data;
  • necessary to pursue any of the procedures related to claiming or defending rights and lawsuits or related to judicial proceedings;
  • necessary to protect the rights of third parties; and/or
  • necessary to protect the public interest.

The controller must notify the data subject when it lifts the restrictions under Article 16 of the PDPL (Article 16(4) of the PDPL).

Right to lodge a complaint

Article 24 of the PDPL provides that data subjects may lodge a complaint with the Data Office if they have reason to believe that a violation of the provisions of the PDPL is committed.

9. Penalties

The current draft of the PDPL provides that information setting out the administrative sanctions shall be included in the Executive Regulations.

9.1 Enforcement decisions

There are no notable enforcement decisions at present.