Federal Decree by Law Concerning the Protection of Personal Data

Legislation Details

• Full Title: Federal Decree by Law Concerning the Protection of Personal Data
• Law Type: Federal Decree-Law
• Law Number: 45 of 2021
• Issued Date: 20 Sep 2021
• Effective Date: 02 Jan 2022
• Official Gazette: No. 712
• Sector: Telecommunication, Technology and Space
• Status: Active
• Number of Articles: 69
• Chapters/Parts: 0
• Amendments: 0

Summary

This Federal Decree-Law regulates the protection of personal data in the United Arab Emirates. Its purpose is to establish a comprehensive legal framework to safeguard the privacy and security of personal information processed by individuals, companies, and government entities. The law imposes strict requirements on the collection, storage, and use of personal data, granting individuals various rights over their information and imposing penalties for non-compliance. This legislation is a significant development that aims to align the UAE's data protection regime with international best practices and enhance trust in the digital economy. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 1-2)

What is the scope and purpose of this law?

The Decree-Law applies to the processing of personal data by electronic means or other methods, both within the UAE and by controllers or processors located outside the UAE who process the personal data of UAE residents. It establishes the UAE Data Bureau as the regulatory authority responsible for overseeing compliance. The law does not apply to government data, data held by security and judicial authorities, personal data processed for personal purposes, or personal data already covered by other sectoral legislation. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 2)

What are the key definitions under this law?

The Decree-Law provides the following key definitions:

• Personal Data: Any data related to a specific natural person or that can be used to identify them directly or indirectly. This includes sensitive personal data and biometric data. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 1)
• Sensitive Personal Data: Data that reveals a person's family, ethnic origin, political opinions, religious beliefs, criminal record, health, or sexual condition. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 1)
• Biometric Data: Personal data derived from a person's physical, physiological or behavioral characteristics that allow their unique identification. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 1)
• Data Subject: The natural person who is the subject of the personal data. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 1)
• Controller: The entity that determines the purpose and means of processing personal data. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 1)
• Processor: The entity that processes personal data on behalf of the controller. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 1)
• Data Protection Officer: The person appointed by the controller or processor to ensure compliance with personal data protection requirements. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 1)

What are the main obligations and requirements?

The Decree-Law imposes several key obligations on controllers and processors of personal data: 1. Personal data must be processed fairly, transparently, and lawfully. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 5) 2. Personal data must be collected for a specific and clear purpose, and not used in an incompatible manner later on. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 5) 3. Personal data must be adequate, relevant, and limited to what is necessary for the processing purpose. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 5) 4. Personal data must be accurate, kept up-to-date, and corrected if inaccurate. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 5) 5. Appropriate technical and organizational measures must be taken to ensure the security and confidentiality of personal data. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 5, 20)

What licensing, registration, or approval requirements exist?

The legislation does not specify any licensing, registration, or approval requirements for the processing of personal data.

What rights and protections does this law provide?

The Decree-Law grants data subjects several rights, including: 1. The right to receive information about the processing of their personal data. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 13) 2. The right to request the transfer of their personal data to another controller. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 14) 3. The right to request the correction or erasure of their personal data. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 15) 4. The right to restrict or stop the processing of their personal data. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 16-17) 5. The right to object to automated decision-making and profiling. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 18)

Which authorities or bodies are responsible for enforcement?

The UAE Data Bureau is the regulatory authority responsible for overseeing compliance with the Decree-Law. Its powers include: 1. Exempting certain establishments from some or all of the personal data protection requirements. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 3) 2. Receiving and investigating complaints about personal data breaches and violations. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 24-25) 3. Imposing administrative penalties for non-compliance. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 26)

What are the penalties for non-compliance?

The Decree-Law specifies that administrative penalties may be imposed for violations, but does not provide the exact penalty amounts or terms. The Executive Regulations of the law will likely outline the specific penalties. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 26)

What fees, charges, or financial provisions are specified?

The legislation does not specify any fees, charges, or financial provisions related to the processing of personal data.

What exemptions or exceptions apply?

The Decree-Law does not apply to the following: 1. Government data 2. Data held by security and judicial authorities 3. Personal data processed for personal purposes 4. Personal health data and personal banking/credit data covered by other legislation 5. Companies in free zones with special data protection laws (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 2) Additionally, the UAE Data Bureau may exempt certain establishments from some or all of the personal data protection requirements. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 3)

How are disputes resolved under this law?

The legislation allows data subjects to file complaints with the UAE Data Bureau regarding violations of their rights or the law's provisions. Data subjects can also file grievances against the Bureau's decisions. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Art. 24-25)

What are the key deadlines and time limits?

The legislation does not specify any deadlines or time limits for compliance with its provisions.

How does this law interact with other UAE legislation?

The Decree-Law references and builds upon several existing UAE federal laws, including: 1. Federal Law No. (1) of 1972 on the Competences of Ministries and Powers of Ministers 2. Federal Decree-Law No. (3) of 2003 on Regulating the Telecommunications Sector 3. Federal Law No. (6) of 2010 on Credit Information 4. Federal Law No. (14) of 2016 on Administrative Violations and Penalties in the Federal Government 5. Federal Law No. (2) of 2019 on the Use of ICT in the Health Sector 6. Federal Decree-Law No. (14) of 2018 on the Central Bank and Regulation of Financial Institutions 7. Federal Decree-Law No. (44) of 2021 on the Establishment of the UAE Data Office (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Preamble)

When did this law come into effect?

The Federal Decree-Law Concerning the Protection of Personal Data was issued on 20 September 2021 and came into effect on 2 January 2022, as published in the Official Gazette No. 712. (Federal Decree by Law Concerning the Protection of Personal Data, 2021, Issued Date, Effective Date)

Source Documents

• Original Text — UAE Legislation Portal
• Archived Copy — Litt Law CDN

This article analyses Federal Decree by Law Concerning the Protection of Personal Data for legal research and educational purposes. For the purpose of interpretation and application, reference must be made to the original Arabic text. In case of conflict, the Arabic text prevails. This does not constitute legal advice.