CONTEXT
UAE personal data protection legislation imposes binding obligations on most private companies processing personal data of individuals in the UAE. Processing data without a proper legal basis — including relying on invalid or unclear consent — exposes a company to regulatory inspection, administrative fines, and operational restrictions.
LEGAL BASIS
- Federal Decree-Law No. 45 of 2021 on Personal Data Protection
- UAE Data Office — supervisory authority
Scope: The Law applies to most companies processing personal data of individuals in the UAE. Exceptions include government entities and certain free zones operating under separate regulatory regimes — notably financial free zones, which have their own data protection frameworks.
LAWFUL BASIS FOR DATA PROCESSING
Personal data may only be processed where a lawful basis exists. The most commonly relied upon basis is explicit consent of the data subject.
Requirements for valid consent:
- Specific and unambiguous
- Genuinely informed — the data subject must understand what they are consenting to
- Capable of ...