Support Centre

UAE - Federal

Summary

Law: Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data ('the Law')

Regulator: UAE Data Office

Summary: On 28 November 2021, the UAE Cabinet announced that it had enacted the Law, as issued on 20 September 2021. The Law covers the processing of personal data belonging to data subjects within the UAE, regardless of the location of the data controller or data processor. In addition, the Law outlines the conditions for consent, several data subject rights, as well as comprehensive requirements for controllers and processors, such as mandatory breach notification, the appointment of data protection officers, and the implementation of technical and organisational measures to support data security.The Law entered into force on 2 January 2022 and the Executive Regulations were expected within six months from the Law's date of issuance (i.e. March 2022), however they have not been released yet. Notably, companies must comply with the Law six months from the publication of the Executive Regulations. However, the Law does not apply to public entities or free zones in the UAE with their own data protection legislation (notably the DIFC and ADGM), nor does it apply to health or credit data governed by existing sectoral legislation. Furthermore, the Law repeals all laws which conflict with its provisions.

Notably, the supervisory authority responsible for overseeing the enforcement of the Law, the UAE Data Office, was established by Federal Decree-Law No. 44 of 2021 ('Law No. 44/2021'), issued contemporaneously with the Law on 20 September 2021. Article 9 of Law No. 44/2021 provides that for the first two years of the office's operation, the Telecommunications and Digital Government Regulatory Authority ('TDRA') will provide it with administrative and logistical support. Furthermore, Article 7 of Law No. 44/2021 states that the UAE Data Office's first financial year shall commence from the effective date of the Law No. 44/2021, i.e. 21 September 2021 (as per Article 11 of Law No. 44/2021).

Insights

The term 'direct marketing' refers to business practices whereby businesses sell, promote, or advertise their products or services directly to members of the public through means such as SMS, telephone, or email. In the UAE, there is a range of spam and privacy legislation and regulations that specifically restrict direct marketing practices. The UAE has a multi-territorial, multi-jurisdictional legal system that encompasses the federal legislature as well as so-called 'free zones,' which are special economic zones with their own company and commercial laws specifically applicable for companies incorporated within the respective free zone. Nick O'Connell, Andrew Fawcett, and Darya Ghasemzadeh, from Al Tamimi & Company, provide an overview of the federal regulations, as well as specific legislation in some of the UAE's free zones.   

Feedback