Data Protection

Overview

  • On 20 September 2021, the United Arab Emirates (UAE) issued a new data protection law, Federal Decree-Law No. 45/2021 on the Protection of Personal Data. Prior to this, the UAE did not have a comprehensive data protection law on a federal level. An individual’s right to privacy is also protected under several federal UAE laws.

  • This Comparative Note addresses the data protection legal framework and regimes within the DIFC and across the UAE.

Definitions

  • MEASA: Middle East, Africa and South Asia.

  • DRA: Dispute Resolution Authority.

  • MoG: Memorandum of Guidance.

  • DHCC: Dubai Healthcare City.

  • DIFC: Dubai International Financial Centre.

  • DFSA: Dubai Financial Services Authority.

  • Commissioner: Independent regulator set up to uphold data privacy for individuals in or from DIFC.

  • Processor: Person who processes personal data on behalf of a Controller.

  • Controller: Person in the DIFC who determines the purposes for which, and the manner in which, any personal data is to be Processed.

  • Data Subject: Individual to whom the personal data relates. For example, where an organisation holds personal data about its employees, the employees are Data Subjects.