The government of the UAE announced the milestone Data Protection Law in the UAE on 20th September 2021. UAE’s authorities implemented it on 2nd January 2022 to be at par with the transparency & data protection practices worldwide.
What Does the New Data Protection Law in UAE Accomplish?
This new law clarifies what is acceptable for aspects like collection, processing, transfer & review of confidential data within UAE’s borders. With such provisions, the new law strengthens data subjects’ privacy rights and parties’ obligations to collect, process, and review confidential data.
This blog will focus on the main aspects of the Data Protection Law in UAE.
Compliance Regulations & To Whom They Apply
UAE’s PDPL (Personal Data Protection Act) clearly states which business must abide by the law. Under Article 2(2) of PDPL, all UAE-registered businesses that process personal data of the concerned parties within the UAE or overseas must comply with the PDPL. Even companies that collect UAE residents’ personal data on behalf of other organizations must follow this law.
Who is Exempt from PDPL?
Under Article 2(2), a few entities are exempt from the PDPL law. These entities include government data, public entities’ data, and health & credit data contingent upon their dedicated legislation. Other exempted entities include those established within the free zones like the DIFC (Dubai International Financial Centre) and ADGM, which operate as per their unique data protection laws.
Additionally, even businesses in the DIFC and ADGM free zones that process data for companies that are not a part of these free zones will also have to comply with this law to a certain extent.
Data Covered Under this Law
The PDPL clearly states which data this law covers. It aims to ensure the safety of the personal and sensitive data collected from the parties concerned. This data includes:
- Identification number
- Sexual preferences
- Biometric data
- Criminal records
- Health records
- Geographical location
Data Subject Rights
As per the newly introduced PDPL law, every user/data subject is entitled to certain rights. Here, they must have a data handler under all circumstances. These circumstances include:
Right to Access Information:
Every data subject has a right to know what data/information a business gathers about them.
Right to Data Portability:
All data subjects have the right to receive relevant information in an intelligible and transferrable formation that they can access on most devices and platforms.
Right to Restrict Processing:
Data subjects have the right to restrict businesses from processing any data that concerns them. After a data subject exercises such a claim, the business must stop collecting information.
Right to Data Removal:
Data subjects are entitled to request businesses to delete personal data that concerns them.
Right to Protest Automated Processing:
All data subjects reserve the right to prevent a business from using data (data collected by the relevant business related to the data subject) to enable automated decision-making that may affect them.
Right to Rectification:
A data subject retains the right to ask the data handler to change/amend/modify data (data collected by the relevant business concerning the data subject) if it is obsolete, incomplete, or inaccurate.
Penalties for Non-compliance
The PDPL has not clearly stated the applicable penalties if the organizations fail to comply with the new laws. Authorities have decided that the Council of Ministers and courts will impose the appropriate administrative penalties if an organization fails to comply with the new law. The PDPL law took effect on 2nd January 2022, but the authorities are yet to introduce standardized penalties. Everyone awaits executive legislation for more clarity related to these penalties.
How does NR Doshi & Partners Assist you with The Data Protection Law?
Many users worldwide are becoming increasingly aware and outspoken about their data privacy and protection rights. Due to these challenges, governments worldwide are keen to administer legislation that compels businesses to adopt measures. This step will ensure that information collected from data subjects is secured & acquired with proper permission.
In 2022, data is money, but failing to comply with the global framework may result in legal issues. Moreover, businesses process massive amounts of data these days, so they need automated solutions to comply with changing regulations.
NR Doshi & Partners offers an extensive range of services for all kinds of businesses ranging from small-sized and medium-sized to large-scale/huge corporations. Our services include advice on how to manage, protect and process the corporate & private data of customers and staff.
All these services and activities must be in accordance with regulatory obligations like:
- UAE Personal Data Protection Law
- DIFC Data Protection Law
- ADGM Data Protection Law
- NDMO and other Data Protection Regulation (DPR)
The services that NR Doshi & Partners offer are as below:
- Data Classification
- Data Rights Management
- Database Activity Monitoring
- Data Loss Prevention
- Secure File Transfer & Content Management
- Data Encryption
- Secure Backup Solutions
- Data & File Encryption
- Data Privacy Controls