FEDERAL DECREE-LAW NO. (45) OF 2021 ON PERSONAL DATA PROTECTION
Read the full text.
We, Khalifa bin Zayed Al Nahyan, President of the United Arab Emirates,
- After perusal of the Constitution;
- Federal Law No. (1) of 1972 on the Mandates of Ministries and Authorities of Ministers, as amended;
- Federal Decree-Law No. (3) of 2003 Organizing the Telecommunications Sector, as amended;
- Federal Law No. (6) of 2010 concerning Credit Information, as amended;
- Federal Law No. (14) of 2016 concerning Violations and Administrative Sanctions in the Federal Government;
- Federal Law No. (2) of 2019 concerning the Use of the Information and Communication Technology in the Area of Health;
- Federal Decree-Law No. (14) of 2018 concerning the Central Bank and the Organization of Financial Institutions and Activities, as amended;
- Federal Decree-Law No. (44) of 2021 concerning the Establishment of UAE Data Office;
- Based on what have been presented by the Minister of Cabinet Affairs, and the approval of the Cabinet,
Promulgate the following Federal Decree-Law:
ARTICLE (1) – DEFINITIONS
In application of the provisions of this Decree-Law, the following words and expressions shall have the meanings ascribed to each of them, unless the context otherwise requires:
- State : The United Arab Emirates.
- Office : The UAE Data Office established under the referenced Federal Decree-Law No. (44) of 2021.
- Data : An organized or unorganized set of information, facts, concepts, instructions, observations or measurements in the form of numbers, letters, words, symbols, pictures, videos, signals, audio, maps or otherwise, which is interpreted, exchanged or processed by individuals or computers. Data includes information wherever used herein.
- Personal Data : Any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as his name, voice, picture, identification number, electronic identifier, geographical location, or one or more physical, physiological, cultural or social characteristics. Personal Data includes Sensitive Personal Data and Biometric Data.
- Sensitive Personal Data : Any information that directly or indirectly reveals a person’s race, ethnicity, political or philosophical views, religious beliefs, criminal record, biometric data, or any data related to such person’s health such as his physical, psychological, mental, corporal, genetic or sexual state, including any information related to such person’s provision with healthcare services that reveal his health condition.
- Biometric Data : Any Personal Data resulting from specific technical Processing relating to the physical, physiological or behavioral characteristics of the Data Subject, which allow the identification or confirm the unique identification of the Data Subject, such as facial image or dactyloscopic data.
- Data Subject : The natural person to whom Personal Data relates.
- Establishment : Any company or individual proprietorship incorporated inside or outside the State, including companies partially or wholly owned by the Federal or Local Government or in which the Federal or Local Government owns shares.
- Controller : The Establishment or the natural person who is in the possession of the Personal Data and who, by virtue of its activity, alone or jointly with others determines the means, methods, standards and purposes of the Processing of such Personal Data.
- Processor : An Establishment or a natural person who processes the Personal Data on behalf of the Controller and under his supervision and instructions.
- Data Protection Officer : A natural or legal person appointed by the Controller or the Processor in order to verify that the entity he belongs to complies with the Personal Data protection controls, requirements, procedures and rules provided for herein, and to ensure the integrity of its systems and procedures to achieve the compliance with the provisions hereof
- Processing : An operation or set of operations which is performed on Personal Data using any electronic means including the Processing or other means, such as collection, storage, recording, structuring, adaptation or alteration, handling, retrieval, exchange, sharing, use, characterization, disclosure by transmission, dissemination, distribution or otherwise making available, alignment, combination, restriction, erasure, destruction or creation of a model of Personal Data.
- Automated Processing : A Processing operation which is performed using an electronic system or programme operating in an automated manner, either in a complete autonomous way without any human intervention or partially under a limited human supervision and intervention.
- Personal Data Protection : A set of technical organizational measures, procedures and processes determined in accordance with the provisions of this Decree-Law, which would preserve the privacy, confidentiality, integrity, integration and availability of Personal Data.
- Pseudonymization : The Processing of Personal Data in such a manner that such data cannot be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and safely and is subject to technical and organizational measures and procedures determined in accordance with the provisions of this Decree-Law, in order to ensure that the Personal Data is not attributed to an identified or identifiable natural person.
- Anonymization : The Processing performed on Personal Data in such a manner that conceals the Data Subject, does not permit the attribution of such data to him and prevents his identification by any means.
- Data Breach : A breach of security and Personal Data through unauthorized or unlawful access thereto, such as replication, transmission, distribution, exchange, transfer, circulation or Processing in such a manner leading to the disclosure or divulgence to third parties, or otherwise the destruction or modification of such data while being stored, transferred and processed.
- Profiling : A form of Automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to the Data Subject, in particular to analyze or predict aspects concerning his financial condition or performance, health, personal preferences, interests, behavior, location, movements or reliability.
- Cross-border Processing : The dissemination, use, publication, transmission, receipt, retrieval, use, sharing or Processing of Personal Data outside the geographical scope of the State.
- Consent : The consent by which the Data Subject authorizes third parties to process Personal Data relating to him, provided that such consent is clear, specific and unambiguous indication of the Data Subject’s agreement, by a statement or clear affirmative action, to the Processing of the Personal Data relating to him.
ARTICLE (2) – SCOPE OF APPLICATION OF THE DECREE-LAW
1. The provisions of this Decree-Law apply to the Processing of Personal Data, either in whole or in part, through electronic automated means, or other than such means, by:
a. a Data Subject who has domicile or place of business in the State.
b. a Controller or Processor established in the State that conducts Personal Data Processing activities for Data Subjects who are in or outside the State.
c. a Controller or Processor not established in the State that conducts Personal Data Processing activities for Data Subjects who are in the State.
2. The provisions of this Decree-Law do not apply to:
a. governmental Data.
b. governmental authorities which control and process Personal Data.
c. Personal Data which is in the possession of security and judicial authorities.
d. Data Subject who processes Data relating to him for personal purposes.
e. health Personal Data regulated under a special legislation governing their protection and Processing.
f. banking and credit Personal Data and information regulated under a legislation governing their protection and Processing.
g. companies and organizations incorporated in the free zones of the State and governed by special Personal Data protection legislation.
ARTICLE (3) – POWER OF THE OFFICE TO EXEMPT
Without prejudice to any other functions assigned to the Office under any other legislation, the Office shall have the power to exempt certain Establishments which do not process a large scale of Personal Data from any or all requirements and conditions of the provisions of Personal Data protection provided for herein, in accordance with the standards and controls specified by the Executive Regulations of this Decree-Law.
ARTICLE (4) – PROCESSING OF PERSONAL DATA WITHOUT CONSENT OF THE DATA SUBJECT
The Processing of Personal Data without consent of the Data Subject is prohibited. However, such prohibition is excluded and the Processing is lawful in the following situations:
1. where the Processing is necessary for the reasons of public interest.
2. where the Processing is related to Personal Data which is made publicly available by Data Subject.
3. where the Processing is necessary to initiate or defend in any procedures relating to claim of rights and legal actions or is in relation to judicial or security procedures.
4. where the Processing is necessary for the purposes of occupational or preventive medicine to assess the working capacity of an employee, medical diagnosis, the provision of health or social care or the treatment or the management of health or social care systems and services, in accordance with legislation in force in the State.
5. where the Processing is necessary for the protection of public health, such as the protection from infectious diseases and pandemics, or for ensuring the safety and quality of healthcare, medicines, drugs and medical appliances, in accordance with legislation in force in the State.
6. where the Processing is necessary for archiving purposes or for scientific, historical or statistical studies in accordance with legislation in force in the State.
7. where the Processing is necessary for the protection of interests of the Data Subject.
8. where the Processing is required for the Controller or Processor to perform its obligations and establish its rights prescribed by law in the area of recruitment or social security or the laws relating to social protection, to the extent permitted by such laws.
9. where the Processing is necessary for the performance of a contract to which the Data Subject is a party or for taking any actions upon request of the Data Subject for the purpose of concluding, amending or terminating a contract.
10. where the Processing is necessary for the compliance with obligations prescribed under other laws of the State to which the Controller is subject.
11. any other situations specified by the Executive Regulations of this Decree-Law.
ARTICLE (5) – PERSONAL DATA PROTECTION CONTROLS
The Processing of Personal Data shall take place in accordance with the following rules:
1. the Processing must be fair, transparent and lawful.
2. the Personal Data must have been collected for a clear specific purpose, and shall not be processed at a later stage in such a manner that is contrary to such purpose. However, Data may be processed if the purpose thereof is similar or close to the purpose for which the Data was collected.
3. the Personal Data shall be adequate and restricted to what is necessary for the purpose for which the Processing is performed.
4. the Personal Data must be correct and accurate and subject to update, where relevant.
5. measures or actions to ensure the erasure or rectification of incorrect Personal Data must be in place.
6. the Personal Data must be safely stored and protected from any Breach or unlawful or unauthorized Processing by putting in place and implementing appropriate technical and organizational measures and actions in pursuance of laws and legislation in force in this regard.
7. the Personal Data must not be stored after the end of the purpose of their Processing, and may be maintained in case the identity of the Data Subject is concealed using “Anonymization” function.
8. any other controls specified by the Executive Regulations of this Decree-Law.
ARTICLE (6) – CONDITIONS FOR CONSENT TO DATA PROCESSING
1. For the Consent of Data Subject to be valid, it is conditional that:
a. the Controller is able to prove the Consent of the Data Subject if the Processing is based on the Consent of Data Subject to the Processing of Personal Data concerning him.
b. the Consent must be clear, simple, unambiguous and accessible, whether in written or electronic form.
c. the Consent must contain the right of Data Subject to withdraw his Consent, and withdrawal process must be easy.
2. A Data Subject shall have the right at any time to withdraw his Consent to the Processing of Personal Data concerning him, and such withdrawal shall not affect the lawfulness and legitimacy of the Processing performed on the basis of any Consent given prior to such withdrawal.
ARTICLE (7) – THE GENERAL OBLIGATIONS OF THE CONTROLLER
The Controller shall:
1. subject to the nature, scope and purposes of the Processing and the risks to the privacy and confidentiality of Personal Data relating to the Data Subject, implement appropriate technical and organizational measures and actions to apply the standard criteria necessary for the protection and security of Personal Data, and ensure that such Data is not subject to Breach, corruption, modification or manipulation.
2. implement the appropriate measures, either during the identification of Processing means or during the Processing itself, for the purposes of compliance with the provisions of this Decree-Law including the controls provided for in Article (5) hereof. Such measures include Pseudonymization.
3. implement the appropriate technical and organizational measures in relation to the automatic setup, to ensure that the Processing of Personal Data is restricted to the specific purpose thereof. This obligation shall apply to the scale and kind of Personal Data collected, the type of the Processing taking place, the duration of storage of such Data, and the accessibility thereto.
4. maintain a record of Personal Data processed, which shall contain the details of both the Controller and the Data Protection Officer, a description of categories of Personal Data, Data related to persons authorized to access Personal Data, the timeframe, restrictions and scopes of the Processing, the applicable erasure, modification or Processing mechanism, the purpose of the Processing, any Data related to the Cross-border transfer and Processing of such Data, and a description of technical and organizational actions relating to information security and Processing operations The Controller shall provide such register to the Office, whenever requested to do so.
5. appoint Processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the Processing requirements, rules and controls provided for in this Decree-Law and its Executive Regulations and implementing resolutions.
6. provide the Office, upon decision of the competent judicial authority, with any information requested by the Office in pursuance of its functions stated in this Decree-Law and its Executive Regulations.
7. any other obligations specified by the Executive Regulations of this Decree-Law.
ARTICLE (8) – THE GENERAL OBLIGATIONS OF THE PROCESSOR
The Processor shall:
1. perform and implement the Processing on instructions from the Controller, and pursuant to contracts and agreements between them, which identify in particular the scope, subject, purpose, nature and type of Personal Data, and the categories of Data Subjects.
2. implement the appropriate technical and organizational measures and actions to protect the Personal Data at the design stage, either during the identification of Processing means or during the Processing itself, taking into regard the cost of implementation of such measures and actions and the nature, scope and purpose of the Processing.
3. perform the Processing in line with its purpose and within the specified timeframe. If the Processing extends beyond the specified timeframe, the Processor must inform the Controller to allow it extend such timeframe or to give appropriate instructions.
4. erase data after the expiration of the Processing timeframe or surrender them to the Controller.
5. not take any act which might result in the disclosure of Personal Data or the Processing findings unless in cases permitted by law.
6. protect and secure the Processing and secure electronic means and devices used in the Processing and Personal Data contained therein.
7. maintain a record of Personal Data processed on behalf of the Controller, which shall contain the details of the Controller, the Processor and the Data Protection Officer, a description of categories of Personal Data, Data related to persons authorized to access Personal Data, the timeframe, restrictions and scopes of the Processing, the applicable erasure, modification or Processing mechanism, the purpose of the Processing, any Data related to the Cross-border transfer and Processing of such Data and a description of technical and organizational actions
8. relating to information security and Processing operations The Processor shall provide such register to the Office, whenever requested to do so.
9. provide all means to demonstrate its compliance with the provisions of this Decree-Law on demand by the Controller or the Office.
10. process the Personal Data in accordance with the rules, conditions and controls specified by this Decree-Law and its Executive Regulations or under which instructions are issued by the Office.
11. in the case of joint Processors, the Processing shall take place pursuant to a written contract or agreement clearly defining their respective obligations, responsibilities and roles in the Processing; failing which, they shall be deemed jointly liable for the obligations and responsibilities stated in this Decree-Law and its Executive Regulations.
12. The Executive Regulations of this Decree-Law shall determine the procedures, controls, conditions and technical and standard criteria relating to such obligations.
ARTICLE (9) – NOTIFICATION OF PERSONAL DATA BREACH
1. In addition to its obligations provided for herein, the Controller shall immediately after having become aware of it, notify the Office of any Personal Data Breach relating to a Data Subject which is likely to result in a risk to privacy, confidentiality, and security of his Data and the findings of the investigation within such period and in accordance with such procedures and conditions specified by the Executive Regulations of this Decree-Law, provided notification is accompanied by the following statement and documents:
a. a description of the nature, form, reasons, approximate number and records of the Breach.
b. the Details of its Data Protection Officer.
c. the potential and expected effects of the Breach.
d. a description of actions and measures taken by it and those proposed to be taken to rectify such Breach and minimize its negative effects.
e. documentation of the Breach and the corrective actions taken by it.
f. any other requirements requested by the Office.
2. In any event, the Controller shall inform the Data Subject where such Breach is likely to result in a risk to the privacy, confidentiality and security of Personal Data concerning him within such period and in accordance with such procedures and conditions specified by the Executive Regulations of this Decree-Law, and shall inform him of the actions taken by it.
3. The Processor shall, immediately after having become aware of it, notify the Controller of any Personal Data Breach relating to a Data Subject, and the Controller shall in turn notify the Office pursuant to subclause (1) above.
4. The Office shall, following the receipt of the notification from the Controller, ascertain the reasons for the Breach to ensure the integrity of the security actions taken, and impose the administrative sanctions referred to in Article (26) hereof if it is proved that a contravention of the provisions of this Decree-Law and its implementing resolutions has been committed by the Controller or the Processor.
ARTICLE (10) – DESIGNATION OF DATA PROTECTION OFFICER
1. The Controller and the Processor shall appoint a Data Protection Officer that has the adequate skills and knowledge to protect the Personal Data, in any of the following events:
a. where the Processing is likely to result in a high risk to the privacy and confidentiality of Personal Data relating to the Data Subject as a result of adoption of new technologies or due to the amount of Data.
b. where the Processing involves a systematic and overall assessment of Sensitive Personal Data including Profiling and Automated Processing.
c. where the Processing involves a large scale of Sensitive Personal Data.
2. The Data Protection Officer may be an employee of the Controller or the Processor, or authorized by them, whether from inside or outside the State.
3. The Controller or the Processor shall designate the contact details of the Data Protection Officer and inform the Office accordingly.
4. The Executive Regulations of this Decree-Law shall specify the kinds of technologies and the standards of determination of the amount of Data required under this Article.
ARTICLE (11) – ROLES OF DATA PROTECTION OFFICER
1. The Data Protection Officer shall monitor compliance of the Controller or processor with the provisions of this Decree-Law and its executive Regulations and implementing resolutions as well as the instructions issued by the Office. The Data Protection Officer shall in particular have the following tasks and duties:
a. monitor the adequacy and quality of procedures applicable within the Controller or Processor.
b. receive the requests and complaints relating to Personal Data in accordance with the provisions of this Decree-Law and its executive regulations.
c. provide technical advice in relation to the periodic assessment and verification procedures regarding the Personal Data protection systems and intrusion prevention systems within the Controller and Processor, document the results of such assessment, and make relevant recommendations including the risk assessment procedures.
d. act as the contact point between the Controller or Processor, as the case may be, and the Office in respect of the Controller or Processor’s application of the provisions of Personal Data Processing provided for herein.
e. Any other tasks or authorities determined under the Executive Regulations of this Decree-Law.
2. The Data Protection Officer shall keep confidential information and Data received in the performance of his tasks and authorities under the provisions of this Decree-Law and its executive regulations and in accordance with the legislation in force in the State.
ARTICLE (12) – OBLIGATIONS OF CONTROLLER AND PROCESSOR TO THE DATA PROTECTION OFFICER
1. The Controller and Processor shall provide all means to ensure that the Data Protection Officer carries out his roles and tasks provided for in Article (11) hereof as intended. The Controller and Processor shall in particular:
a. ensure that the Data Protection Officer is involved, properly and in a timely manner, in all issues which relate to the protection of Personal Data.
b. ensure that the Data Protection Officer is provided with all necessary resources and support to cavy out his tasks.
c. the Data Protection Officer shall not be dismissed or penalized for performing his tasks in accordance with the provisions of this Decree-Law.
d. ensure that the Data Protection Officer is not entrusted with any tasks that result in a conflict of interests with his tasks specified hereunder.
2. A Data Subject shall have the right to directly communicate with the Data Protection Officer in relation to Personal Data concerning him and to the Processing of such Data in order to be able to exercise his rights pursuant to the provisions of this Decree-Law.
ARTICLE (13) – RIGHT OF ACCESS TO INFORMATION
1. A Data Subject shall have the right, upon request submitted to the Controller and at no charge, obtain the following information:
a. the categories of Personal Data processed.
b. the purposes of the Processing.
c. automated decision-making, including Profiling.
d. target sectors or enterprises with whom Personal Data concerning him are shared inside and outside the State.
e. controls and standards relating to the duration of storage and archiving of Personal Data concerning him.
f. actions for the rectification, erasure or restriction of the Processing and objection to Personal Data concerning him.
g. safeguards in the case of Cross-border Processing pursuant to Article (22) and (23) hereof.
h. actions to be taken in the case of Breach of Personal Data concerning him, in particular where the Breach presents a direct and serious threat to the privacy and confidentiality of Personal Data relating to him.
i. how to lodge a complaint with the Office.
2. In any event, the Controller shall, prior to the Processing, provide the Data Subject with the information referred to in para. (b), (d) and (g) of subclause (1) above.
3. The Controller shall have the right to reject the request of the Data Subject to obtain information referred to in subclause (1) above, if he found that:
a. the request is not related to information referred to in subclause (1) above or is excessively repeated.
b. the request is in contravention of the judicial procedures or investigations carried out by the competent entities.
c. the request has a negative impact on the Controller’s endeavors to protect information security.
d. the request relates to the privacy and confidentiality of Personal Data concerning a third party.
ARTICLE (14) – RIGHT TO REQUEST PERSONAL DATA PORTABILITY
1. A Data Subject shall have the right to receive his Personal Data, which he has provided to a Controller, in a structured and machine-readable format where Processing is based on the Consent of Data Subject, or is necessary for the performance of a contractual obligation, or performed by automated means.
2. A Data Subject shall have the right to transfer Personal Data concerning him to another Controller, wherever technically possible.
ARTICLE (15) – RIGHT TO RECTIFICATION OR ERASURE OF PERSONAL DATA
1. A Data Subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate Personal Data concerning him or to complete such Data.
2. Without prejudice to legislation in force in the State and for reasons of public interest, A Data Subject shall have the right to require the Controller to erase the Personal Data concerning him in any of the following cases:
a. where the Personal Data concerning him are no longer necessary for the purposes for which they were collected or processed.
b. If the Data Subject withdraws his Consent on which the Processing is based.
c. If the Data Subject objects to the Processing, or there are no legitimate grounds to continue the Processing by the Controller.
d. The Personal Data concerning him is processed in violation of the provisions of this Decree-Law and the legislation in force, and the erasure is needed for compliance with legislation and approved standards applicable in this regard.
3. Notwithstanding subclause (2) above, A Data Subject shall not have the right to request the Controller to erase Personal Data concerning him in the following cases:
a. If the request relates to the erasure of Personal Data relating to public health with private institutions.
b. If the request affects investigations, claim or defense of rights and legal actions in respect of the Controller.
c. If the request is in conflict with other legislation to which the Controller is subject.
d. Any other cases specified by the Executive Regulations of this Decree-Law.
ARTICLE (16) – RIGHT TO RESTRICTION OF PROCESSING
1. A Data Subject shall have the right to require the Controller to restrict and stop the Processing in any of the following cases:
a. where the Data Subject contests the accuracy of Personal Data concerning him, in which case the Processing is restricted for a limited period enabling the Controller to verify the accuracy of the Personal Data.
b. where the Data Subject objects to the Processing of Personal Data relating to him contrary to the agreed purposes.
c. where the Processing is performed in contravention of the provisions of this Decree-Law and the legislation in force.
2. A Data Subject shall have the right to require the Controller to continue keeping the Personal Data relating to him after the expiry of the purpose of Processing, where the Personal Data is necessary to pursue or defend in procedures relating to the claim of rights and legal actions.
3. Notwithstanding subclause (1) above, the Controller shall have the right to process the Personal Data relating to the Data Subject without his consent in any of the following cases:
a. where the Processing is restricted to the storage of Personal Data.
b. where the Processing is necessary to initiate or defend in any procedures relating to the claim of rights or judicial actions or is related to judicial procedures.
c. where the Processing is necessary for the protection of third party rights pursuant to legislation in force.
d. where the Processing is necessary for the reasons of protection of public interest.
4. In any event, the Data Subject must be informed by the Controller when the restriction referred to in this Article is lifted.
ARTICLE (17) – RIGHT TO STOP PROCESSING
A Data Subject shall have the right to object to the Processing of Personal Data relating to him and stop the Processing in any of the following events:
1. where Personal Data is Processed for direct marketing purposes, including Profiling to the extent that it is related to such direct marketing.
2. where the Personal Data is processed for statistical survey purposes, unless the Processing is necessary for the reasons of public interest.
3. where the Personal Data is processed in contravention of the provisions of Article (5) hereof.
ARTICLE (18) – RIGHT OF PROCESSING AND AUTOMATED PROCESSING
1. A Data Subject shall have the right to object to automated decision-making that have legal implications or seriously affect the Data Subject, including Profiling.
2. Notwithstanding subclause (1) above, a Data Subject shall not have the right to object to automated decision-making in the following cases:
a. The Automated Processing is performed under the terms of contract between the Data Subject and Controller.
b. The Automated Processing is necessary under other legislation in force in e State.
c. If the Data Subject has given his Consent to the Automated Processing pursuant to the conditions stated in Article (6) hereof.
3. The Controller shall implement appropriate measures and actions to protect the privacy and confidentiality of the Personal Data relating to the Data Subject in cases referred to in subclause (2) above, and to avoid any harm to, or prejudice of rights of the Data Subject.
4. The Controller shall involve the human element in the review of Automated Processing decisions upon request of the Data Subject.
ARTICLE (19) – MEANS OF COMMUNICATION WITH CONTROLLERS
The Controller shall provide clear and appropriate means and mechanisms that enable the Data Subject to communicate with him and request the exercise of any of his rights provided for herein.
ARTICLE (20) – PERSONAL DATA INFORMATION SECURITY
1. The Controller and the Processor shall put in place, and implement appropriate technical and organizational measures and actions to ensure a high information security level that is appropriate to the risks associated with the Processing in accordance with the best international standards and practices. This may include:
a. encryption of Personal Data and implementation of Data Pseudonymization.
b. implementation of measures and actions that guarantee the continued confidentiality, integrity, safety and flexibility of Processing systems and services.
c. Implementation of measures and actions that guarantee the retrieval of, and access to the Personal Data in due time in case of any actual or technical failure.
d. Implementation of actions that guarantee the smooth testing, assessment and evaluation of the effectiveness of technical and organizational measures in such a manner that ensures the security of Processing.
2. In assessing the level of information security referred to in subclause (1) above, due regard shall be given to:
a. risks associated with the Processing including corruption, loss, accidental or unlawful modification or unauthorized disclosure of, or access to the Personal Data transferred, stored or processed.
b. the cost, nature, scope and purpose of the Processing, and the disparity in potential risks to the privacy and confidentiality of Personal Data relating to the Data Subject.
ARTICLE (21) – PERSONAL DATA PROTECTION IMPACT ASSESSMENT
1. Subject to the nature, scope and purpose of the Processing, the Controller shall, prior to the Processing, carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data, when using any modern technologies that are likely to result in a high risk to the privacy and confidentiality of Personal Data of the Data Subject.
2. Impact assessment provided for in subclause (1) above is necessary in the following cases:
a. where the Processing involves a systematic and extensive evaluation of personal aspects relating to the Data Subject which is based on Automated Processing, including Profiling, or has legal effects or might significantly affect the Data Subject.
b. where the Processing involves a large scale of Sensitive Personal Data.
3. The assessment referred to in subclause (1) above shall at least include:
a. a clear systematic description of the envisaged Processing operations on the protection of Personal Data and the purpose of the Processing of such Data.
b. assessment of the necessity and proportionality of the Processing operations in relation to the purpose thereof.
c. assessment of the potential risks to the privacy and confidentiality of Personal Data relating to the Data Subject.
d. actions and measures envisaged to reduce the potential risks to the protection of the Personal Data.
4. The Controller may carry out one assessment of a set of Processing operations that are similar in nature and risks.
5. The Controller shall coordinate with the Data Protection Officer when assessing the impact of Personal Data protection.
6. The Office shall prepare a list of types of Processing operations that are not bound by Personal Data impact assessment and make it publicly available on its website.
7. The Controller shall review the assessment outcomes on periodic basis to ensure that the Processing is performed in line with the assessment in case the level of risks associated with the Processing operations varies.
ARTICLE (22) – CROSS-BORDER TRANSFER AND SHARING OF PERSONAL DATA FOR PROCESSING PURPOSES IN CASE THERE IS AN ADEQUATE LEVEL OF PROTECTION
A transfer of Personal Data outside the State may take place in the following cases approved by the Office:
1. The state or territory to which Personal Data is transferred has Personal Data protection legislation in place, including the main provisions, measures, controls, requirements and rules in relation to the protection of confidentiality and privacy of the Personal Data relating to the Data Subject and his ability to exercise his rights, and provisions relating to the imposition of appropriate measures against the Controller or the Processor through a regulatory or judicial entity.
2. The State’s accession to bilateral or multilateral agreements in respect of Personal Data protection with states to which Personal Data is transferred.
ARTICLE (23) – CROSS-BORDER TRANSFER AND SHARING OF PERSONAL DATA FOR PROCESSING PURPOSES IN THE ABSENCE OF AN ADEQUATE LEVEL OF PROTECTION
1. Notwithstanding Article (22) hereof, a transfer of Personal Data outside the State may take place in the following cases:
a. in states where no data protection law exists, Establishments operating in the State and in such states may transfer data under a contract or agreement binding the Establishment in such states to the provisions, measures, controls and conditions stated herein and containing provisions relating to the imposition of appropriate measures against the Controller or the Processor through a supervisory or judicial entity in such state which is specified in the contract.
b. the express consent of the Data Subject to the Processing of Personal Data relating to him outside the State in such a manner that does not conflict with the public and security interest of the State.
c. the transfer is necessary for performing obligations and establishing rights before judicial entities or exercising or defending them.
d. the transfer is necessary for the entry into, or the performance of a contract between the Controller and the Data Subject, or between the Controller and a third party for the interests of the Data Subject.
e. the transfer is necessary for the performance of an act relating to international judicial cooperation.
f. the transfer is necessary for the protection of public interest.
2. The Executive Regulations of this Decree-Law shall specify the controls and requirements regarding cases referred to in subclause (1) above, which must be met in case of transfer of the Personal Data outside the State.
ARTICLE (24) – COMPLAINT LODGING
1. A Data Subject may lodge a complaint with the Office, if he has reasons to believe that a contravention of the provisions of this Decree-Law has been committed, or that the Controller or Processor is Processing Personal Data relating to him in contravention of its provisions in accordance with the rules and procedures determined by the Office in this regard.
2. The Office shall receive complaints lodged by the Data Subject pursuant to subclause (1) above, and shall verify the same in coordination with the Controller and Processor.
3. The Office may impose the administrative sanctions set forth in Article (26) hereof in case any contravention by the Controller or the Processor of the provisions of this Decree Law or the violation of its implementing resolutions is established.
ARTICLE (25) – GRIEVANCE AGAINST DECISIONS OF THE OFFICE
Any concerned party may file a grievance in writing with the Director General of the Office against any decision, administrative sanction or action taken against him by the Office within (30) thirty days of the date of his notification of such decision, administrative sanction or action. Such appeal grievance shall be determined within (30) thirty days after being filed.
No appeal may be brought against any decision made by the Office pursuant to this Decree-Law unless a grievance is filed against it. The Executive Regulations of this Decree-Law shall specify the procedures for filing and deciding on grievances.
ARTICLE (26) – ADMINISTRATIVE VIOLATIONS AND SANCTIONS
A decision, specifying the acts that constitute contravention of this Decree-Law and its executive regulations, and the administrative sanctions to be imposed, shall be issued by the Cabinet upon proposal of the Director General of the Office.
ARTICLE (27) – DELEGATION
The Cabinet may, upon proposal of the Director General of the Office, confer certain mandates of the Office stated in this Decree-Law on any competent local government authorities within their domestic jurisdiction.
ARTICLE (28) – EXECUTIVE REGULATIONS
The Executive Regulations of this Decree-Law shall be issued by the Cabinet, upon proposal of the Director General of the Office, within (6) six months following the date of issuance of this Decree-Law.
ARTICLE (29) – ADJUSTMENT OF POSITIONS
The Controller and the Processor shall adjust their respective positions in accordance with the provisions of this Decree-Law within a period not exceeding (6) six months after the date of issuance of its Executive Regulations. Such period may be extended by the Cabinet for additional similar periods.
ARTICLE (30) – REPEALS
Any provision contrary to, or in conflict with the provisions of this Decree-Law shall be repealed.
ARTICLE (31) – PUBLICATION AND ENTRY INTO FORCE OF THE DECREE-LAW
This Decree-Law shall be published in the Official Gazette and shall come into effect on January 2, 2022.
Khalifa bin Zayed Al Nahyan
President of the United Arab Emirates
Issued by us at the Presidential Palace in Abu Dhabi
Date : 13 Safar 1443 Hijri
: 20 September 2021