PDPL 

Personal data protection in the UAE is governed by the PDPL, however, until the issuance of the PDPL Regulations, the full scope of the PDPL remains open to interpretation in terms of its implementation and, to some extent, the relevant standards, restrictions, obligations and prohibitions applicable to processors and controllers. The PDPL largely replicates globally recognised data protection principles and regimes, except for specific data transfer restrictions. As such, in the interest of business continuity and ensuring compliance in a gradual and efficient manner, many entities believed to be captured by the scope of the PDPL proactively commenced implementing data protection policies and protocols compliant with recognised standards such as the General Data Protection Regulation (GDPR). 

General federal laws

Whilst the PDPL’s official implementation date remains pending, it is important to note that there are several laws generally governing the protection of personal data and privacy in the UAE, which are scattered across various federal legal instruments, and that remain in full effect and must be complied with until such laws are amended or repealed by way of federal decree. In summary, this includes, by way of example, the following:

• The UAE Constitution: explicitly provides all individuals in the UAE with a general right to privacy.
• UAE Penal Code: prohibits the publication of any personal information or secrets (irrespective of their validity), the disclosure of any information obtained in a professional capacity for the advantage of another (except where consent is obtained), and the disclosure of any information illicitly obtained from a person’s private conversations or correspondence.
• UAE Cybercrime Law: lists and prohibits various actions and omissions that constitute a breach of privacy of electronic data and communications, including the unauthorised access, manipulation or disclosure of medical records, the publication of any personal information, news, or photos that would be defamatory or offensive to the data subject (irrespective of the validity of such information), and the use of an information network to disclose confidential information. 
• UAE E-Commerce Law: provides that it is an offence to intentionally disclose any information a person has obtained access to through electronic files, documents or communications. 
• UAE Telecommunications Law and related framework: provides that it is an offence for any person to exploit communication devices in a manner harmful to others, to copy, disclose or distribute content of any communication services without consent, and to intercept communications without a judicial permit to do so, and also sets out obligations on telecoms operators in relation to customer personal data. 

Sector-specific laws and regulations 

The UAE also has sector-specific data protection laws, regulations and standards in place that govern entities practicing in certain sectors in the UAE which, by way of the nature of their industry, process personal data of a more sensitive nature, such as: telecommunication service providers licensed in the UAE, financial institutions, and entities which process medical, health and/or genetic data. In summary: 

• Telecommunication Licensees: as set out above, telecommunication licensees in the UAE are obligated to take measures to prevent the unauthorised use or disclosure of consumer information and to protect the privacy of consumer information and limit access to such information. 
• Financial Institutions: Financial institutions licensed in the UAE are also subject to several laws, regulations and standards, such as: 
  • The Federal Central Bank Law, which governs the organisation of financial institutions and sets out specific data protection obligations on such institutions. 
  • The Federal Credit Information Law, which sets out rules, applicable to both the UAE National Credit Bureau and any organisations that share financial information with it, that govern the processing of financial information and prohibits the collection and circulation of private information related to a persons’ life, opinions, beliefs or health. 
  • The Central Bank’s Consumer Protection Regulations, which restricts financial institutions from collecting consumer information beyond what is necessary and mandates compliance with the applicable UAE data protection laws and regulations. 
  • The Central Bank’s Consumer Protection Standards, which provide detailed requirements which financial institutions are obligated to comply with, such as maintaining a suitable data management control framework, utilising secure processing methods for digital transactions, appointing a data protection officer, retaining data for a minimum stipulated period and ensuring data is collected for lawful and limited purposes and with appropriate security measures in place. 
  • The Central Bank’s Stored Value Facilities Regulations, which set out additional data management, protection and control obligations applicable specifically to stored value facility service providers licensed by the UAE Central Bank. 
  • The Central Bank’s Retail Payment Services and Card Scheme Regulations, which set out specific and more comprehensive data protection obligations on Central Bank licensees involved in the provision of retail payment and card scheme services.
• Medical and Health Institutions: Medical, genetic and health data and information collected in the UAE, or from subjects based in the UAE, are subject to specific federal laws, regulations and standards, as well as others which are applicable to a specific emirate or free zone. These include the following: 
  • The Federal ICT Health Data Law and Regulations, which govern the use of information and communication technology (ICT) in the health sector, and which set out specific privacy restrictions and requirements in respect of medical and health information processed by medical and health institutions in the UAE.
  • The Federal Law on the Use of Human Genomes, which was recently issued in 2023, sets out specific restrictions on the collection, processing, storage and use of human genome information and specifies the purpose for which such information may be used. 
  • The Abu Dhabi Health Information Exchange Standards, which sets out specific standards applicable to the exchange of health information which are applicable to any entities processing, or involved in the processing, of health data in Abu Dhabi. 
  • The Dubai Healthcare City Health Data Protection Regulations, which specifically govern any type of health data collected by entities licensed in the DHCC free zone, irrespective of where such information is held. 

Scope of the PDPL

The provisions of the PDPL are applicable to the processing of any personal data by means of electronic systems or otherwise by any of the following: 

• a data subject residing in the UAE or having a place of business in it; 
• any controller or processor based in the UAE and processing personal data either inside or outside of the UAE; and 
• any controller or processor based outside of the UAE, and which processes personal data of data subjects inside the UAE. 

‘Personal data’, a ‘data subject’, ‘controller’ and ‘processor’ are each respectively defined under the PDPL as follows: 

• Personal data: “Any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data, through the use of identification elements such as his/her name, voice, image, identification number, his/her electronic identifier, his/her geographical location, or by one or more physical, physiological, economic, cultural or social characteristics. It includes sensitive personal data and biometric data [defined below].”
  • Sensitive personal data: “Any data which directly or indirectly reveals a natural person’s family, ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data, or any data relating to such person’s health and physical, psychological, mental, genetic or sexual condition, including information related to the provision of healthcare services to him/her which reveals his/her health status.”
  • Biometric data: “Personal data resulting from processing using a specific technology related to the physical, physiological or behavioural characteristics of the data subject, which allows the identification or confirmation of the unique identification of the data subject, such as facial images or fingerprint.”
• Data subject: “A natural person who is the subject of personal data.” 
• Controller: “An establishment or natural person that has personal data, and by virtue of its activity, determines whether individually or jointly with other persons or establishments, the method and criteria for processing such personal data and the purpose of processing it.” 
• Processor: “An establishment or natural person that processes personal data on behalf of the controller. It processes it under their supervision and in accordance with their instructions.” 

Exclusions from the PDPL

As set out above, entities which are established in jurisdictions in the UAE that have specific data protection frameworks (such as the Financial Free Zones) are excluded from the provisions of the PDPL (subject to its extraterritorial scope discussed further below). 

Whilst certain entities practicing in the financial and medical/health sectors are subject to specific regulations in respect of financial or health data (as applicable), such entities remain subject to the scope of the PDPL in respect of personal data collected outside of such industry-specific scope (for example, employee data, etc.). 

Additionally, the PDPL explicitly excludes the following: 

• government data and government entities which control or process personal data; 
• personal data held by the security and judicial authorities; and 
• data subjects who process their own data for personal purposes. 

The scope of the PDPL is extraterritorial in that it, in addition to data subjects and controllers and processors based in the UAE (regardless of where their data subjects are located), also purports to apply to controllers and processors based outside of the UAE which process the data of UAE-based data subjects.

This extraterritorial effect is applicable to both entities established and operating in foreign jurisdictions, as well as to entities operating in the Financial Free Zones, should they be captured by the above scope of the PDPL. 

The PDPL governs any operation or set of operations performed for the purpose of processing personal data, including “collecting, storing, recording, organising, adapting, modifying, circulating, altering, retrieving, exchanging, sharing, using, characterizing, disclosing personal data by broadcasting, transmitting, distributing, making available, coordinating, merging, restricting, blocking, erasing or destroying it or creating forms thereof.” This also includes: 

• Automated processing: defined as processing “carried out using an electronic program or system which operates in an automated and automatic manner either completely independently without any human intervention or partially with limited human supervision and intervention”; and 
• Profiling: defined as “a form of automated processing which involves the use of personal data to assess certain personality aspects associated with the data subject, including analysing or predicting aspects related to his/her financial performance or condition, health, personal preferences, interests, behavior, location, movements or reliability.” 

The PDPL governs the processing of personal data, including sensitive personal data and biometric data, as defined at Question 2, above, and prohibits the processing of such personal data without consent. Although the PDPL includes very little information in respect of restrictions and requirements applicable to anonymous and pseudonymous data, anonymisation and pseudonymisation are respectively expressly defined in the PDPL, as set out below. The existence of these definitions in the law indicates that the pending PDPL Regulations will likely address anonymisation and pseudonymisation in further detail, including possibly specifications on the mechanism of anonymisation and pseudonymisation. 

• Anonymisation: “Processing which is performed on personal data in a way which leads to the anonymity of the data subject, not linking and attributing such data to him/her and the inability to identify him/her in any way whatsoever.” 
• Pseudonymisation: “Processing performed on personal data in such a way which, after the completion of processing, makes it not possible to associate and attribute such data to the data subject without the use of additional information, provided that such additional information is kept independently and securely. In accordance with the technical and organizational measures and procedures specified under provisions of this Decree by Law, it shall ensure that personal data is not linked to a specific natural person or that he/she can be identified by using it.”

As set out above, health information and data and financial data are also regulated by industry-specific laws. 

Sensitive personal data 

The PDPL briefly addresses sensitive personal data (as defined above) placing an obligation to appoint a data protection officer in the event a controller or processor would be processing a large volume of sensitive personal data or where such processing would involve a systematic or comprehensive assessment of such sensitive personal data, including automated processing and profiling (as defined above). Meanwhile, albeit specifically defined and therefore contemplated, there are no specific requirements, restrictions or heightened levels of protection set out in the PDPL in respect of biometric data. That said, it is very likely that the pending PDPL Regulations (or at the very least specific policies issued by the UAE Data Office) will address both sensitive personal data and biometric data in further detail. 

Health and financial data

As set out above, the UAE also has various sector-specific data protection and privacy frameworks applicable to medical, health and genetic data, as well as laws, regulations and standards applicable to financial data.

Other types of data

Certain UAE federal laws applicable to specific protected persons or groups, such as employees or children/minors, will necessitate the protection of personal data in respect of such individuals, but the PDPL ultimately governs the processing of personal data for such individuals generally. That said, it should also be noted that the UAE is a member state of the International Telecommunication Union (ITU) and therefore recognises and abides by the guidelines issued by the ITU, including, for example, the ITU’s Child Online Protection (COP) Guidelines. Additionally, penalties applicable to a breach or violation relating to the privacy or personal data of such protected persons may extend to the application of further penalties (including criminal penalties) that may be set out under other applicable laws, such as the UAE Cybercrime Law, discussed further herein. 

As above, the PDPL governs the processing of personal data and prohibits the processing of such personal data without consent. ‘Consent’ is defined under the PDPL as where “the data subject authorises a third party to process his/her personal data, provided that this consent indicates, in a specific, clear and unambiguous manner, that he/she accepts the processing of his/her personal data through a clear positive statement or action.” 

As such, it is important to note that any consent obtained for the purposes of processing personal data in any form must be affirmative in nature and a controller must: 

• be able to prove consent has been obtained; 
• ensure consent is obtained in a simple, unambiguous and accessible manner; and
• ensure the consent expressly includes the data subject’s right to withdraw such consent at any time. 

Notwithstanding the above, consent is not required under the PDPL for the processing of personal data if such processing is: 

• necessary to protect public interest, including public health and safety, or the interests of the data subject; 
• related to personal data which has become available and known to all by an act of the data subject; 
• necessary to initiate any procedures of legal claim or defence of rights or is related to judicial or security procedures; 
• necessary for purposes of occupational or preventive medicine in order to assess an employees’ ability to work, performing medical diagnoses, and providing health and/or social care, treatment or health insurance services in accordance with applicable laws; 
• necessary for archival purposes or for scientific, historical and statistical studies in accordance with applicable laws; 
• necessary for the purposes of the controller or data subject carrying out their obligations and exercising their legally established rights in accordance with the fields of employment, social security or laws concerned with social protection; 
• necessary to perform or take actions in relation to a contract to which the data subject is a party; or
• necessary to fulfil specific obligations stipulated in other applicable laws for the controller.

It should also be noted that the PDPL expressly provides that further cases of exemption may be set out in the pending PDPL Regulations.

Personal data processing controls

In addition to any other controls which may be set out in the pending PDPL Regulations, the PDPL requires the processing of personal data to be: 

• carried out in a fair, transparent and lawful manner; 
• collected for a specific and clear purpose and not to be processed for any other purpose, except where such purpose is similar to the purpose for which it was collected; 
• limited to what is necessary for the purpose of such processing; 
• accurate, correct and up to date wherever necessary and for incorrect personal data to be either deleted or corrected; 
• kept securely and protected from breaches, violations or unauthorised use; and 
• deleted after the purpose of processing has been exhausted, unless the identity of the data subject is anonymised. 

Appointment of a data protection officer (DPO)

Processors and controllers are required to appoint a DPO, which can be an employee or an external third party based either inside or outside of the UAE, if: 

• there is a high level of risk associated with the confidentiality and privacy of the personal data to be processed (e.g. relating to utilisation of new technologies or the volume of data); 
• the processing would involve a systematic or comprehensive assessment of sensitive personal data, including profiling and automated processing (each as discussed above); or 
• if a large volume of sensitive personal data will be processed. 

Notification obligations

The PDPL places an obligation on controllers, immediately upon becoming aware of any breach that may form a risk to the privacy, confidentiality or security of a data subject’s personal data, to (a) notify the relevant regulating authority, and (b) in all cases to notify the relevant data subject(s), within a period and in accordance with the measures and requirements to be specified in the pending PDPL Regulations (as such, the associated notification periods, requirements and measures for data breaches remain unclear to date). 

Similarly to the GDPR, the PDPL entitles data subjects to a set of rights enabling them to exercise certain controls on the processing of their personal data. Controllers are obligated to abide by requests to exercise the following rights from data subjects, albeit such rights are also subject to specific exceptions and limitations: 

• the right to obtain information in respect of collected personal data; 
• the right to request the transfer of personal data in an organised and machine-readable manner; 
• the right to the correction or erasure of personal data; 
• the right to restrict the processing of personal data; 
• the right to stop the processing of personal data; and 
• the right to object to any decisions resulting from the automated processing of personal data, including profiling (as discussed above).

TDRA Spam Policy

Until recently, the only regulation governing direct marketing communications in the UAE was the Unsolicited Electronic Communications Regulatory Policy (the “Spam Policy”) issued by the Telecommunications and Digital Government Regulatory Authority (TDRA), the primary objective of which was to reduce the volume of unsolicited electronic communications (including both email and text messages) by placing an obligation on telecommunications licensees in the UAE to enforce measures to minimise communication effectively defined as ‘Spam’. The Spam Policy prohibits the sending of any form of electronic communication to a recipient without first obtaining that recipient’s consent (although generally advocates an opt-in basis).

Since then, the UAE has issued both the Modern Technology-Based Trade Law and the Telemarketing Regulations (see below), both of which regulate direct marketing communications on a wider scale than the telecommunications sector and which grant the local licensing authorities (i.e. the economic departments licensing onshore establishments or the free zone authorities licensing free zone entities) with the authority to monitor, issue policies and enforce sanctions and/or penalties in this regard. 

Modern Technology-Based Trade Law

This law obliges merchants to protect consumer rights and comply with requirements applicable to promotional campaigns and the exchange of consumer data in such context. It also provides consumers with the right to refuse receiving promotional or marketing messages in any form. 

Telemarketing Regulations 

These very recent regulations are the first in the UAE to regulate ‘telemarketing’ (as such term is defined therein) at a general commercial level and are also the first regulations to introduce specific requirements and mechanisms restricting ‘unwanted marketing phone calls’ and introducing penalties to entities in violation of such requirements. To achieve this objective, the Telemarketing Regulations establish obligations of cooperation between various government and licensing authorities (including the TDRA) to exchange information and develop a unified national call registry known as the Do Not Connect Register (DNCR). Various other obligations and restrictions are also set out in the regulations, including (by way of example) in relation to prior approvals, training, record keeping, acceptable windows of call placement and duration, etc. Further sector-specific obligations are also contemplated (e.g. in relation to financial institutions). As these regulations are still very new, it will be interesting to see how they are implemented and enforced in practice.

Pursuant to the PDPL, and subject to further requirements to be issued in the pending PDPL Regulations, personal data may be transferred outside of the UAE to jurisdictions which: 

• are deemed by the UAE Data Office as having a proper protection level from a data protection and privacy legislative and regulatory standpoint; or 
• have entered into a bilateral or multilateral agreement with or including the UAE in respect of the protection of personal data. 

As noted, seeing as the PDPL Regulations have not been issued and the UAE Data Office has not been officially established to date, a list of such jurisdictions has not been issued yet. With respect to the transfer of personal data to jurisdictions which do not meet the above criteria, the PDPL does permit for such transfers in specific circumstances or where certain mitigation steps are taken, such as: 

• contractual obligations are put in place obliging controllers and processors to adopt appropriate data protection measures akin to those imposed in jurisdictions with what is recognised as an adequate data protection framework; 
• explicit consent is granted by the data subject (provided the transfer does not otherwise contravene public or security interests of the UAE); 
• the transfer is necessary for the purpose of establishing rights/fulfilling legal obligations; 
• the transfer is necessary to execute or enforce a contract between a controller and a data subject or between a controller and a third party to serve the interests of a data subject;
• the transfer is necessary in relation to an international judicial cooperation; or
• the transfer is necessary to protect the public interest. 

Other requirements may be applicable in a sector or subject matter-specific context pursuant to some of the other frameworks discussed above, but the foregoing constitute the general federal position pursuant to the PDPL. 

Generally speaking, laws and regulations in the UAE will usually designate a competent authority, whether at a federal, local or free zone level, to oversee the enforcement and development of the relevant legal framework. Authorities in the UAE are also generally granted a wide scope of powers and authority, which may include: 

• monitoring any activities within the scope of a matter regulated by the authority and undertaken by its licensees; 
• requesting information from any entities carrying out activities regulated by it, including periodic reporting and auditing; 
• carrying out inspections of the relevant regulated premises/equipment; 
• issuing notices, enforcing sanctions, suspending licences, issuing penalties, etc.; and
• escalating violations to other regulatory bodies or authorities in the UAE. 

In respect of privacy and data protection in the UAE, the above broad regulatory powers are generally contemplated in each of the laws and regulations as discussed herein.

Violations of data protection laws in the UAE carry a wide range of penalties and sanctions that can be either administrative or punitive in nature, or both. Administrative measures and sanctions can be in the form of warnings, notices, restriction of activities, suspension of licensing, and/or financial penalties. Punitive measures take the form of larger financial fines, imprisonment or both and are usually pursued by the UAE Public Prosecution Office.

Seeing as the data protection frameworks in the UAE, particularly at a federal level, spread across numerous laws, regulations and standards, authorities and judicial bodies in the UAE have sufficient discretionary power to enforce a combination of penalties prescribed under one or more laws and regulations, albeit this is usually subject to the nature and severity (and any history of repetition) of the violation. 

Some of the prescribed penalties and sanctions applicable to the relevant general federal data protection laws and regulations include the following: 

• PDPL: no penalties or sanctions are currently specified under the PDPL, however, it is expected these will be specified within the pending PDPL Regulation. 
• Cybercrime Law: a violation of the Cybercrime Law’s data protection provisions constitutes a criminal offence punished by a fine ranging between AED 50,000 and up to AED 1,000,000 (Approximately USD 13,614 – USD 272,265) and/or imprisonment for at least one year, subject to the nature of the violation.
• Penal Code: a violation of the Penal Code’s data protection provisions constitutes a criminal offence punished by a fine ranging between AED 3,000 to AED 20,000 (Approximately USD 817 – USD 5,446) and/or imprisonment for at least one year and up to seven years, subject to the nature of the violation. 
• E-Commerce Law: a violation of the E-Commerce Law’s provisions on data protection carries a penalty ranging between AED 250,000 to AED 500,000 (Approximately USD 68,067 – USD 136,133) and/or imprisonment for an unspecified period. 
• Telecommunications Law: a violation of the Telecommunication Law’s provisions on data protection carries a financial penalty ranging between AED 50,000 to AED 1,000,000 (Approximately USD 13,614 – USD 272,265) and/or imprisonment of not less than one year. 
• Telemarketing Law: no specific penalties have been specified in the Telemarketing Law, however, similar to the PDPL, the penalties applicable to violations of the Telemarketing Law will be specified in the executive regulations of the law, once these are issued. 

For further information on penalties and sanctions applicable to sector-specific data protection laws and regulations, such as health and financial data, please reach out to the authors of this guide.