The Constitution of the United Arab Emirates (UAE) provides that safety and security for all citizens shall be the pillars of society. The Constitution further provides that freedom of corresponding through post, telegraph or other means of communication, and the secrecy thereof, is guaranteed in accordance with the law, and that dwellings are inviolable. These constitutional provisions serve as the foundational guidelines for respecting privacy.
The statutory regime concerning data protection is chiefly found in the following laws/regulations.
Apart from the above, sector-specific regulations govern data protection in their respective sectors, as follows:
The above-mentioned laws/regulations provide for matters related to offences, penalties and enforcement in their respective sphere.
The UAE Data Office is the regulator for the purposes of the UAE Law.
The Commissioner of Data Protection administers the DIFC Law. The Commissioner is also responsible for the monitoring and enforcement of the ADGM Regulations.
The Central Bank of the UAE and the Telecommunications and Digital Government Regulatory Authority (TDRA) are the regulators concerning the banking and telecommunications sectors, responsible for (among others) the protection of their respective consumers’ data.
Health authorities (federal or local government) are entrusted with the protection of patients’ data.
The above-mentioned authorities have the powers of investigations and complaint-handling in their respective spheres.
The Data Office (concerning the UAE Law) is competent to receive complaints by data subjects regarding contravention of provisions of the UAE Law. The Data Office is also competent to impose administrative sanctions on contravention of provisions of the UAE Law. A person aggrieved by any decision, administrative sanction or any action of the Data Office may file a grievance with the Director General of the Data Office. The grievance is to be filed within 30 days of the date of decision, administrative sanction or action of the Data Office. The Director General of the Data Office is to determine such grievance within 30 days of its filing. The executive regulations to be issued pursuant to the UAE Law will specify the procedural aspects for filing and deciding on such grievances.
The Commissioner of Data Protection (under the DIFC Law) is competent to receive complaints from data subjects concerning contravention of the DIFC Law or any breach of the rights of data subjects. The Commissioner is empowered to investigate the complaints and to issue a direction or declaration. The Commissioner is empowered to impose fines in the event of non-compliance with a direction issued by them. Concerning a complaint lodged with them, the Commissioner may follow such practices and procedures that will, in the Commissioner’s view, lead to a most timely, fair and effective resolution of the claim in the complaint. The controller, processer or data subject aggrieved by the Commissioner’s decision may appeal to the DIFC Court within 30 days.
On contravention of the ADGM Regulations, a data subject may lodge a complaint with the Commissioner of Data Protection under the ADGM Regulations. After an assessment, the Commissioner may:
The aggrieved controller, processer or data subject may refer the matter to the court for review. The court may make any orders that it thinks just and appropriate in the circumstances, within three months of the penalty notice, direction or date of complaint.
Under the UAE Federal Decree Law, the administrative sanctions to be imposed are issued by the cabinet upon proposal of the Director General of the Data Office.
As per the DIFC Law, when the Commissioner considers that a controller or processor is liable for contravention of law, they may issue an administrative fine to the controller or processor. The Commissioner should issue a notice to the controller or processor of imposition of a fine. Administrative fines are set out in Schedule 2 of DIFC Data Protection Law No 5 of 2020; fines corresponding to the contraventions mentioned in Schedule 2 range from USD10,000 to USD100,000.
Under the ADGM Regulations, if a controller or processor performs an act or abstains from performing an act in contravention of a direction issued by the Commissioner of Data Protection or the ADGM Regulations (or subsequent rules made thereunder), they shall be subject to imposition of an administrative fine by the Commissioner. The Commissioner shall send a written “penalty notice” to the controller or processor. The penalty imposed by the Commissioner must not exceed USD28 million.
Okadoc Technologies Limited (21 May 2024)
The ADGM Commissioner of Data Protection imposed a monetary penalty of USD20,000 on Okadoc Technologies Limited (“Okadoc”) for violating the ADGM Regulations. The penalty pertained to a breach of individual rights, specifically to Okadoc’s failure to comply with a data subject’s access request. The Office of Data Protection’s investigation revealed that Okadoc lacked adequate measures to identify, facilitate and fulfil the request.
The Commissioner of Data Protection issued a penalty notice under Section 55(1) for breaches related to Articles 10(1) to (5), 22(1) and (2) concerning “implementation of technical and organisational measures to process the personal data”, as well as Article 29 of the ADGM Regulations, which pertains to the rights of data subjects.
Venture Rock Global Limited (23 June 2023)
The ADGM Commissioner of Data Protection issued a direction under Section 54(1) for breaches related to Articles 4(1)(f), 22(1), 22(2), 29, 30(1) and 30(2) of the ADGM Regulations, which encompass obligations regarding data security and processing.
In its assessment, the Commissioner found that Venture Rock was involved in contravention of the ADGM Regulations in terms of lack of security, lack of policy and procedures, and inappropriate technical and organisational measures; the report attributed “human error from poor cybersecurity practices” as a root cause of the incident. The lack of proper training, awareness and appropriate policies/procedures were key factors leading to the violation of the ADGM Regulations.
Through its Regulation 10, the DIFC has enacted amendments to its data protection regulations, aimed at overseeing the use of autonomous and semi-autonomous systems, particularly those driven by artificial intelligence (AI) and machines. The regulations apply to AI-driven systems and processes used within the DIFC’s jurisdiction – either autonomous systems or semi- autonomous systems. These regulations emphasise:
Although neither the ADGM nor the DIFC has enacted laws specifically dedicated to AI, both have incorporated AI-related considerations into their existing data protection and governance frameworks. These provisions ensure that AI applications in financial services are used responsibly, ethically and in accordance with data protection standards.
AI regulation in the UAE has a significant impact on data protection, with the introduction of guidelines and safeguards that ensure the ethical and secure use of personal data. The interplay between AI-specific initiatives and general data protection laws creates a robust framework for addressing the challenges posed by AI technologies.
AI technologies often involve automated decisions and profiling, which can significantly impact on individuals. The UAE’s Federal Decree Law No 45 of 2021 on personal data protection requires explicit consent for such processing.
Individuals have the right to contest decisions made solely through automated means, enhancing data subjects’ rights.
As discussed in 4. Sectoral Issues, the ADGM Commissioner of Data Protection has issued a direction in two different cases with respect to contravention of the ADGM Regulations, though in this regard no active litigation occurred with respect to privacy.
Okadoc Technologies Limited (21 May 2024)
The violation involved failure to comply with a data subject’s access request, breaching individual rights. The penalty was a USD20,000 fine under the ADGM Regulations. Adequate processes were lacking for identifying, facilitating and fulfilling the access request.
VentureRock Global Limited (23 June 2023)
The violation involved deficiencies in data security, policies and procedures. The ADGM Commissioner of Data Protection found that poor cybersecurity practices due to human error,
inadequate training, and lack of proper policies and procedures contributed to the violation.
Collective redress, as defined and practised in the EU and other jurisdictions, is not as clearly outlined or widely implemented in the UAE with respect to personal data privacy.
The TDRA has issued a regulatory policy on the Internet of Things (IOT). This policy shall be applicable to all persons connected with IOT within the UAE, including but not limited to:
Objective/Scope
The IOT policy encompasses the following objectives:
Obligations
Any service provider providing IOT is under an obligation to follow UAE telecommunications laws, regulations and the IOT policy. The IOT service provider has to register with the TDRA and obtain an IOT service provider registration certificate.
IOT service providers need to have a local presence or must appoint a representative to have a point of contact with the TDRA.
Service providers must ensure that the service they provide is adequate and reliable.
For personal data processing and storage, the IOT service provider must follow the principles of purpose limitation, data minimisation and storage limitation.
Secret, sensitive and confidential data of individuals and businesses must be stored within the UAE. However, it can be stored outside the country when such data offers adequate or exceeded security.
Secret, sensitive and confidential data of the government will remain in the UAE.
The service provider has to use encryption standards. Data processors/service providers must establish technical measures towards enabling inspection of stored data.
IOT services in the UAE are also regulated by Federal Decree Law No 3/20023 (the “Telecommunications Law”), under which different penalties apply for contravention of the law.
Defiance of or non-compliance with the IOT policy by IOT service providers or users shall be taken as a breach of the UAE Telecommunications Law, and may be penalised by the TDRA.
The UAE has a set of data privacy laws that are applicable in the federal domain and special economic zones (the ADGM and DIFC).
Federal Decree Law No 45 of 2021 is applicable in the mainland and derives from general data protection law.
The DIFC free zone includes DIFC Data Protection Law No 5 of 2020, which is also in alignment with the General Data Protection Regulation (GDPR).
The ADGM free zone includes the ADGM Regulations.
These data privacy laws are largely in line with global data privacy laws (such as the GDPR) but are also custom-made in accordance with local requirements and traditions.
Apart from these dedicated data privacy laws, certain sectoral laws provide protection to consumers with respect to data privacy.
Financial Sector
The Central Bank has issued the following regulations:
Telecommunications Sector
The TDRA has issued the Consumer Protection Regulation, which gives protection to the privacy of subscribers’ information.
Healthcare Sector
In the realm of data privacy, the healthcare sector is governed by Federal Law No 2 of 2019 on the use of information and communications technology (ICT) in health fields. The law ensures the security and safety of health data and information.
Cybersecurity
Federal Decree Law No 34 of 2021 on combating rumours and cybercrime integrates data protection measures into cybersecurity frameworks.
All these sectoral laws have as a common element the safeguarding of consumers’ personal data, health data, financial data and subscriber information.
Please see 3.1 Objectives and Scope of Data Regulation.
Please see 1.2 Regulators.
While no specific law regulates the use of cookies in the processing of personal data, existing personal data protection laws apply to their collection and use. Consent must be explicitly obtained from data subjects before cookies are utilised, and they must be provided with clear and accessible options to opt out of cookie usage.
The UAE Law confers on the data subject a “right to stop processing” where personal data is processed for direct marketing purposes, including profiling to the extent that profiling is related to such direct marketing.
The DIFC Law provides that a data subject has the right to be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and that the data subject be expressly offered the right to object to direct marketing. The data subject has the right to object to personal data processing for direct marketing purposes, including profiling to the extent that profiling is related to such direct marketing.
The ADGM Regulations carry the same provisions as in the DIFC Law regarding direct marketing. The ADGM Regulations also provide that, when a data subject objects to direct marketing, personal data must not be processed for direct marketing purposes.
Federal Decree Law No 33 of 2021, regarding the regulation of employment relationships, provides that a worker should maintain the confidentiality of information and data to which they have access by virtue of their work.
The UAE Law, the DIFC Law and the ADGM Regulations do not contain any provision concerning the role of labour organisations, whistle-blowing or e-discovery.
In the UAE, data processing in the context of asset deals must comply with both federal and sector-specific data protection regulations. Data processors must abide by the principles and obligations laid down by Federal Decree Law No 45 of 2021 on personal data protection, the DIFC Law of 2020 and the ADGM Data Protection Regulations 2021.
In addition, Article 120 of Federal Decree Law No 14 of 2018, concerning the Central Bank and the regulation of financial institutions and activities, states that all customer data and information related to accounts, deposits, safe deposit boxes, trusts and associated transactions with licensed financial institutions are strictly confidential. Disclosure to third parties is prohibited without the account owner’s written consent or that of their legal attorney or authorised agent, except in cases permitted by law. This confidentiality obligation remains binding even after the termination of the customer’s relationship with the institution.
The UAE Law provides that personal data may only be transferred outside the UAE to a jurisdiction with a law in place covering various aspects as to the protection of personal data (ie, an adequate level of protection). The personal data may also be transferred to those countries with whom the UAE has bilateral or multilateral agreements in respect of personal data protection.
The DIFC Law provides that personal data may be transferred to a third country or to an international organisation on the basis of an adequate level of protection, as determined by the Commissioner of Data Protection. A list of adequate jurisdictions is issued through the DIFC Data Protection Regulations.
The ADGM Regulations allow the transfer of personal data outside the ADGM or to an international organisation, where the Commissioner has decided that the receiving jurisdiction or the international organisation ensures an adequate level of protection.
There is no requirement for any government notifications or approvals in order to transfer data internationally, except as discussed in 5.3 Data Localisation Requirements related to health data.
There is no requirement of data localisation, except for health information and data, which – under Federal Law No 2 of 2019 – may not be stored, processed, generated or transferred outside the UAE, except upon a decision issued by the Health Authority in co-ordination with the Ministry of Health and Prevention.
There are no blocking statutes in the UAE.
No information is available on this topic.
D 3-4, Office 302
Al Sarab Tower, Level 15
ADGM Abu Dhabi
United Arab Emirates
+971 52 914 1118
Saeed.hasan@bizilancelegal.ae www.bizilancelegal.aeUAE Data Protection Law Framework: Mainland, DIFC and ADGM
Overview
This article provides a comprehensive summary of the data protection frameworks across distinct UAE jurisdictions – the UAE mainland, the Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC). It also explores how these regimes interact in the realm of personal data protection.
UAE
The UAE introduced its first Federal Data Protection statute on 20 September 2021 – Federal Decree-Law No 45 of 2021 on the Protection of Personal Data (PDPL) – which officially came into force on 2 January 2022. A key feature of the PDPL is the establishment of the UAE Data Office, the central authority tasked with managing data subject complaints, issuing guidance and enforcing the law. The PDPL mandates that the UAE Data Office shall issue Executive Regulations to define detailed standards and controls for implementation. Enforcement of the PDPL was scheduled to commence six months after these regulations were formally adopted.
Prior to the PDPL, personal data protection and confidentiality were addressed through a variety of legal instruments, including:
DIFC
The DIFC Data Protection Law (Law No 5 of 2020), governs personal data in the DIFC, aligning with GDPR and UK standards. Supported by the DIFC Data Protection Regulations (the “DIFC DP Regulation”), effective 1 July 2020, it applies to DIFC-based entities and any controller or processor handling personal data within the DIFC, regardless of location. Its extraterritorial scope ensures robust data protection for all processing activities conducted through local means or personnel within the financial centre.
The Office of the Commissioner of Data Protection (the “Commissioner”) is the designated regulatory body responsible for enforcing these provisions. The Commissioner handles complaints from data subjects, oversees compliance with both the law and the regulations, and works to enhance public understanding of data protection principles.
Inadvertently obtained information
Amendments of 1 September 2023 to the DIFC DP Regulations introduced key updates where individuals who inadvertently receive personal data are now classified as “temporary custodians” and must notify the owner or the Commissioner and delete the data to avoid liability for unauthorised processing.
Marketing and communications
Marketing rules mandate that data subjects be clearly informed of their right to limit data use. Organisations must provide intuitive privacy options, such as clear selection boxes and accessible language, to ensure transparency in data collection and usage.
Processing via autonomous and semi-autonomous systems
For the first time, AI and semi-autonomous systems fall under regulation. Entities using such technologies must notify data subjects about data-processing purposes, system design principles and any certifications. The amendments establish key AI design principles, including ethics, fairness, transparency, security and accountability, ensuring responsible and compliant data use. These changes strengthen the DIFC’s data protection framework, reinforcing privacy rights and ethical technology deployment.
ADGM
The ADGM Data Protection Regulations (the “ADGM DPR”) set the legal framework for personal data protection within the ADGM. Issued on 14 February 2021, they took effect on 14 February 2022 after a one-year transition. Enforced by the Office of Data Protection under the Commissioner, the regulations also apply beyond the ADGM as follows:
Territorial Application
The data protection regimes in the UAE, DIFC and ADGM extend their reach beyond their physical boundaries, but each under its own set of conditions.
PDPL (UAE mainland)
Any controller or processor, wherever they are based, who processes personal data of individuals located in the UAE must comply with the PDPL. The regulation’s definition of “data subject” is broad, covering all natural persons, and is not limited to the citizens or residents of the UAE. This means that even a tourist visiting the UAE temporarily is included within its scope, and any entity handling such personal data is subject to its provisions.
DIFC Data Protection (DP) Law
The DIFC DP Law applies to controllers and processors irrespective of their incorporation if they process personal data within the DIFC. In practice, this means that, if data processing occurs via means or personnel operating in the DIFC, the entity must adhere to the DIFC DP Law, ensuring full compliance within the centre.
ADGM DPR
The extraterritorial application of the ADGM DPR is more circumscribed. For controllers or processors outside the ADGM to fall under its jurisdiction, there must be a direct and substantial connection to an ADGM-based entity. In other words, the external processing must be integrally linked to the operations of a company within the ADGM, with the revenue generated by the ADGM entity being demonstrably tied to those processing activities.
Analysis
The UAE PDPL has a broad extraterritorial scope, applying to any processing of personal data involving individuals in the UAE, regardless of the controller’s or processor’s location – even covering tourists. In contrast, the DIFC DP Law applies based on where processing occurs, focusing on whether the means or personnel are in the DIFC, irrespective of the data subjects’ locations. The ADGM DPR takes a narrower approach, applying to foreign entities only if there is a strong, demonstrable link to an ADGM-based company, ensuring jurisdiction is limited to processing activities closely tied to the company’s services and revenue.
Non-Consent-Based Legal Basis for Processing of Data
“Consent” is a key principle in personal data processing, ensuring that data subjects retain control. The PDPL, DIFC DP Law and ADGM DPR set strict consent criteria. The PDPL requires consent to be specific, informed and unambiguous, with clear details on processing purposes and the controller’s identity. The DIFC DP Law and ADGM DPR further mandate that consent be “freely given”, preventing coercion. However, consent is not always the sole legal basis for processing. These frameworks also outline alternative grounds, allowing data processing without consent, and ensuring a balanced approach between regulatory compliance, individual rights and business or public interest needs. This applies as follows.
PDPL
DIFC DP Law
ADGM DPR
Analysis
The PDPL, DIFC DP Law and ADGM DPR provide distinct yet overlapping legal bases for data processing. All three prioritise protecting vital interests and fulfilling contractual or legal obligations. While the DIFC DP Law and ADGM DPR recognise “legitimate interests” as a basis, the PDPL does not, instead focusing on public interest and health-related processing. Together, these frameworks balance legal compliance, individual rights and business needs, reflecting a nuanced approach to data protection and regulatory requirements.
Whether “Consent” Is a Valid Basis for Processing of Data in the Case of an Employee
PDPL
Consent is recognised as a valid legal basis for processing personal data under the PDPL. However, the law does not expressly require that such consent be “freely given”. In practice, this means the PDPL does not explicitly address scenarios where power imbalances – such as those that might exist between employers and employees – could lead to consent that is less than voluntary. It is expected that future Executive Regulations may provide additional clarity on this issue.
DIFC DP Law/ADGM DPR
In contrast, both the DIFC DP Law and the ADGM DPR – as interpreted through guidance issued by their respective data protection authorities – mandate that consent must be “freely given”. These frameworks are to be read alongside UK and EU standards, which emphasise that data subjects must have a genuine, uninfluenced choice when consenting, ensuring that no party is coerced into agreeing to data processing.
Analysis
The PDPL accepts consent as a legal basis for processing without an explicit requirement for it to be “freely given”, leaving potential issues unaddressed –such as power imbalances between employers and employees. On the other hand, the DIFC DP Law and the ADGM DPR take a more robust stance by requiring that consent be given voluntarily. This stricter requirement aligns these frameworks with international best practices, thereby better safeguarding the autonomy of data subjects in all contexts.
Data Subject Rights
The common data subject rights granted under the PDPL, DIFC DP Law and ADGM DPR are that:
DIFC DP Law
Data subject rights specific to the DIFC DP Law are as follows:
Analysis
The PDPL, DIFC DP Law and ADGM DPR all outline data subject rights that mirror those found in the GDPR, thereby aligning with international practices. This harmonisation not only reinforces the protection of personal data but also makes these jurisdictions attractive to international entities, as they can be confident that their transferred data will be safeguarded by globally recognised standards. Notably, the DIFC DP Law goes a step further by explicitly incorporating non-discrimination measures and mandating multiple communication methods, thereby providing data subjects with additional tools to enforce their rights and prevent unfair treatment.
Special Provisions With Respect to Processing of Personal Data in Relation to a Minor
PDPL
The PDPL does not include any special provisions for processing the personal data of minors. As a result, minors are treated in the same manner as adult data subjects under this law.
DIFC DP Law
Under the DIFC DP Law, minors are granted an absolute right to object to automated processing. While this right is absolute for minors, adult data subjects may have certain limitations or conditions attached to exercising the same right.
ADGM DPR
The ADGM DPR outlines a three-pronged proportionality test for using the “legitimate interest” basis to process personal data. This test is further explained in guidance from the Office of Data Protection, which highlights the importance of considering whether the data subject is a minor when applying the test. The guidance emphasises that, when minors exercise their right to access information, the provided data must be communicated in a clear, transparent and easily understandable manner tailored to their level of understanding.
Analysis
Under the PDPL, minors are treated the same as adults for data processing. However, both the DIFC DP Law and the ADGM DPR introduce more tailored protections for minors. In the DIFC, minors are granted an absolute right to reject automated processing, while the ADGM framework incorporates a proportionality test that places special emphasis on the data subject’s minor status when justifying processing based on “legitimate interest”. These measures demonstrate a heightened sensitivity to the unique risks and needs involved in handling the personal data of minors.
Appointment of a Data Protection Officer
PDPL
Under the PDPL, a Data Protection Officer (DPO) must be appointed when:
DIFC DP Law
A DPO is required under the DIFC DP Law only when a controller or processor is engaged in “high risk activities” on a regular or systematic basis that includes:
ADGM DPR
The ADGM DPR mandates the appointment of a DPO if an organisation is involved in:
Analysis
All three frameworks – the PDPL, DIFC DP Law and ADGM DPR – set similar thresholds for DPO appointment. They each require a DPO in scenarios where data processing presents elevated risks, whether due to the volume of data, the sensitive nature of the information involved, or when systematic processing activities occur. This unified approach ensures that organisations managing high-risk data-processing operations have dedicated oversight to maintain robust compliance with data protection standards.
International Transfers
PDPL
Under the PDPL, personal data transfers outside the UAE are permitted if the recipient’s jurisdiction has adequate data protection laws or if a bilateral agreement exists. If neither applies, transfers can proceed with a binding contract ensuring safeguards, explicit consent of the data subject, for legal compliance or for legal claims. Transfers are also allowed for contractual obligations in the data subject’s interest, international judicial co-operation or safeguarding public interest.
DIFC DP Law
Under the DIFC DP Law, personal data transfers outside the DIFC are allowed if the recipient jurisdiction has adequate data protection laws. If there are no laws, transfers require legally binding contracts, corporate rules or safeguards such as explicit consent, contractual necessity, legal compliance or public interest. Transfers are also valid for legal claims, vital interests, financial standards or AML/CFT compliance.
If the data transfer does not fall under any of these conditions, it must meet the following additional criteria to be considered valid under the DIFC DP Law:
ADGM DPR
Such transfers are permissible under specific conditions, as follows.
Transfers are allowed to jurisdictions recognised by the ADGM Commissioner of Data Protection as providing an adequate level of data protection. The list of these jurisdictions is maintained and updated by the ADGM Office of Data Protection.
In the absence of adequate laws, data transfers require safeguards that include legally binding instruments, corporate rules, standard clauses, codes of conduct, or certification ensuring data rights and legal remedies. Transfers can also rely on explicit consent, public interest, legal compliance, vital interests, legal claims, or contracts facilitating performance and protecting the data subject’s interests.
Analysis
The data transfer rules across these jurisdictions clearly outline when personal data may be moved beyond their borders, leaving no room for ambiguity. This precise approach not only facilitates cross-border data flows in a practical and flexible manner but also maintains the confidentiality of personal data. In instances where the receiving jurisdiction lacks robust data protection laws or formal bilateral agreements, the defined criteria provide both data subjects and organisations with the independence needed to manage their data transfers in line with their unique legal and operational requirements.
Data Breach
PDPL
Organisations must establish mechanisms to detect and manage data breaches. While detailed breach notification timelines will be specified in the forthcoming Executive Regulations, companies must promptly inform the UAE Data Office of any incidents that could jeopardise data subjects’ rights and freedoms.
DIFC DP Law
Reporting data breaches to authorities
If a company (controller) experiences a data breach, it must report the incident to the DIFC Commissioner without delay via the email commissioner@dp.difc.ae or the DIFC website.
Informing affected individuals
The Commissioner may instruct the company to inform affected individuals (data subjects) or issue public announcement through email, letters or media outlets.
Penalties for not reporting breaches
Failure to notify the Commissioner or affected individuals when legally required may incur fines, sanctions or other legal consequences.
Handling accidental possession of personal data
If a business or individual accidentally gains access to someone else’s personal data, they are considered a temporary custodian and the following applies.
Commissioner’s role in handling accidental data possession
The Commissioner will assess the situation and may:
ADGM DPR
Reporting data breaches
A company (controller) must report a personal data breach to the Commissioner of Data Protection within 72 hours of becoming aware of it. If delayed, an explanation must be provided. If a breach occurs at a processor, they must immediately notify the controller.
Report requirements
The report to the Commissioner should include:
Internal documentation
Regarding communication of a breach, companies must keep records of all breaches, their impact and resolutions. If a high-risk breach could significantly affect individuals, they must be notified immediately about:
Exception to notification
Notification is not required if:
The Commissioner’s authority
If a company opts not to notify individuals, the Commissioner may still require it if they assess a high risk. Conversely, they may confirm that no notification is necessary if risks are low.
Analysis
Every jurisdiction has different reporting obligations. While further regulatory guidance is awaited regarding the PDPL, companies must nonetheless swiftly inform the UAE Data Office of incidents posing risks to data subjects. The DIFC and ADGM mandate immediate breach reporting to the Commissioner, who may require notifying affected individuals and impose penalties for non-compliance. Across all frameworks, companies must maintain breach records, assess risks and implement corrective measures.
Conclusion
In recent years, the UAE, DIFC and ADGM have made notable progress in developing comprehensive data protection frameworks. While the UAE’s federal law, the PDPL, is still awaiting its Executive Regulations, the DIFC and ADGM have already implemented robust data protection regulations inspired by the EU GDPR, which ensure strong safeguards for personal data. These frameworks emphasise individual rights and accountability to uphold privacy and confidentiality. However, as regulations continue to evolve, organisations must stay proactive and implement effective compliance strategies to navigate the shifting landscape of data protection.
Floor 14
WeWork Hub71
Al Khatem Tower
ADGM Square
Al Maryah Island
Abu Dhabi
United Arab Emirates
+971 55 369 2517
karmadmin@karmadv.com www.karmadv.com