Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UAE: UAE enacts new Federal Law on Protection of Personal Data as part of legislative reform package

The UAE Cabinet ('the Cabinet') announced, on 28 November 2021, that it had enacted Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data, as issued on 20 September 2021 and as part of its comprehensive Year of the 50th legislative reform which either amends or enacts over 40 further laws. In particular, the Law applies to the processing of personal data, by wholly or partly automated means, or any other means, by every data controller or data processor in the UAE processing the personal data of data subjects within or outside the UAE. Moreover, the Law also applies to every data controller or data processor established outside the UAE carrying out processing activities in relation to data subjects in the UAE. Furthermore, the Law makes particular reference to the establishment of the UAE Data Office ('the Office') pursuant to Federal Decree-Law No. 44 of 2021, and notes that the Cabinet, based on suggestions of the Director of the Office, will issue decisions to determine whether actions constitute a breach of the Law, based on the Law and the Executive Regulations, and determine the appropriate sanctions thereof. 

Furthermore, the Law outlines that executive regulations to the Law shall be published by the Prime Minister within six months of the date of publication of the same, and provides for an implementation period of 12 months from the date of publication of the Law for entities governed by the same. However, this date may be extended at the discretion of the Cabinet.

In this regard, the date of publication of the Law is 2 January 2022, as outlined in Article 31 of the Law and the executive regulations shall be published within six months from the Law's date of issuance, i.e. by 20 March 2022, according to which the implementation date shall be around 20 September 2022.

Key features of the Law include:

  • data controller obligations, including impact assessments, breach notifications, data protection officer appointments ('DPO'), and maintenance of data processing records;
  • data processor obligations including requirements regarding the relationships with data controllers;
  • principles for the lawful processing of personal data;
  • a requirement of consent for lawful processing of personal data and instances where consent shall not be required;
  • data subject rights; and
  • cross border data transfers.

Notably, the Law specifies that it does not apply to, among other things:

  • public entities;
  • health data governed by existing legislation;
  • credit data governed by existing legislation; and
  • free zones with their own data protection legislation.

You can read the press release here.