GDPR & UAE’s New Data Protection Law: Key Similarities To Know

On 28 November 2021, the UAE passed the Federal Decree-Law No. 45 of 2021, better known as the Personal Data Protection Law (PDPL). It follows several other countries around the globe in coming up with concrete legislation that protects the data of all residents within its jurisdiction.

Naturally, the new law has drawn several comparisons with the EU's General Data Protection Law (GDPR), considered by many to be the most thorough piece of legislation done on the subject of data privacy and data protection. Unsurprisingly, there are numerous similarities between the two laws, along with some notable differences.

Understanding these similarities and differences can help companies and data handlers achieve data compliance for both laws and gain a competitive advantage over the rest of their competition in both regions. Additionally, it can also be a helpful exercise in assessing how and in which areas they need to amend their data processing practices to remain compliant with both laws.

Scope Of the Law

Data privacy and protection have become an essential cornerstone of any company's ability to maintain the trust of its users. As users become increasingly aware and educated about what their rights are and the responsibilities of data handlers towards them, it is imperative that organisations understand where they stand.

The most natural step to start off with is to ensure whether a company needs to comply with the new UAE data protection laws and how it compares to compliance needs as per the GDPR.

The UAE

As per the new UAE PDPL, any company registered in the UAE that collects or processes the data of UAE residents is subject to this new legislation. Additionally, any company not registered in the UAE but processing the data is also subject to this legislation.

Some notable exemptions exist for government data, public entities' data, health and credit data subject to their own dedicated legislation. Moreover, companies established in the free zones of Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) are subject to their own data protection laws and exempt from the PDPL.

The GDPR

The GDPR deals with the scope and who needs to comply with it in a simpler way. Whether in the EU or outside, any company that collects data on EU residents has to comply with the legislation's provisions.

Additionally, there are provisions in the GDPR where if your product is being sold to customers in the EU or is accessible to them, you would need to comply with the GDPR. For example, if a company has an app on the App Store that is not available in the US but not the EU, they are exempt from complying with the GDPR. However, if the same app is available on a website that is available worldwide, the company would need to be GDPR compliant since EU residents can access the company's app. Interestingly, if a company's product or service is available in the EU currency or only offers to ship to the EU, it would still need to be GDPR compliant.

Data Subject Rights: GDPR vs PDPL

While the GDPR and the PDPL differ in some areas, they are on the same page when it comes to providing all users with several rights over their data. Here are all the rights that are guaranteed under both the GDPR and PDPL:

The UAE

Here’s how the UAE’s PDPL interprets Data Subjects’ rights:

• Right to Access Information - The data subject has the right to request access to the following information:
  • The categories of personal data processed;
  • The purpose of the processing;
  • Whether the personal data is shared inside or outside the state;
  • Automated decision making on his/her personal data;
  • Controls or standards relating to storage of his/her personal data;
  • Actions for rectification, restriction, or erasure of his/her personal data;
  • Safeguards applied to his/her personal data in case of cross border data transfer;
  • Actions to be taken in case of Personal Data Breach;
  • Procedure to lodge a complaint with the Office.
• Right to be Informed - The PDPL requires all data handlers to inform users what kind of data is being collected on them, where it is being stored, whether it is being shared or sold to anyone, and what protective measures are in place to protect this data.
• Right to be Forgotten - The data subject will have the right to rectify any inaccuracy of their personal information and the right to require the data controller to erase their personal information.
• Right to Stop Data Processing - The data subject can exercise the right to request a data handler to cease processing their data in the following circumstances:
  • Where personal data is processed for marketing purposes;
  • Where the processing is for statistical survey purposes, unless the processing is essential for the reasons of public interest;
  • Where the processing does not oblige with the Personal Data Protection Principles as stated under Article 5 of the PDPL.
• Right to Rectification - Similar to the right to erasure of data collected on them, the data subject can also request the data handler to make appropriate amendments and modifications if the data collected in the information collected is outdated, inaccurate, or incomplete.
• Right to Data Portability - The data subject has the right to receive their personal data in a structured and machine-readable format where the processing of personal data is subject to the data subject’s consent.

The GDPR

The GDPR remains the gold standard when it comes to data protection regulations around the world. Expectedly, it has an expansive set of rights for data subjects. The most prominent of which include:

• Right to Access Information - The GDPR gives all data subjects the right to request access to all information that a company or website may have collected on them. Additionally, a user can request to know how the data collected on them have been used, stored, processed, sold, or shared with other companies. A data handler is legally obligated to inform the data subject of the following whenever requested:
  • The purpose of the processing
  • The categories of personal data concerned
  • The recipients or categories of recipients to whom personal data has been disclosed
  • The retention period or if not possible, the criteria used to determine that period
  • The existence of data subjects’ rights
  • The source of personal data where the personal data is not collected from the data subject and any available information
  • The right to file a complaint to the supervisory authority
  • The existence of data transfers
  • The existence of automated decision-making.
• Right to be Informed - The GDPR gives all data subjects the right to be adequately informed about any data collection needs of the website and give free consent to such data collection. This includes but is not only limited to:
  • The identity and contact details of the controller, controller’s representative, and DPO, where applicable
  • The purpose and the legal basis of the processing
  • The legitimate interests pursued by the controller or by a third party where the processing is based on legitimate interests
  • The categories of personal data concerned
  • The recipients of the personal data
  • Data transfers to a third-party or country
• Right to be Forgotten - The GDPR gives all data subjects the right to request any company or website to delete and permanently remove any data that may have been collected or processed on the user. The data subject has the right to make this request under the following conditions:
  • When the personal data is no longer necessary for the purposes it was collected
  • Where consent is withdrawn by the data subject,
  • When the data subject objects to data processing based on legitimate interests
  • When the data subject objects to data being processed for direct marketing purposes
  • When the personal data is unlawfully processed
  • When personal data has to be erased for compliance with a legal obligation.
  • When a child wants to erase data in case of the provision of information society services to a child.
• Right to Stop Data Processing - The GDPR gives all data subjects the right to request a company or website to cease processing data for any and all purposes effective immediately after such a request is made.
• Right to Rectification - The GDPR gives all data subjects the right to request amendments to the data collected on them or to request a modification in case of outdated or incorrect data.
• Right to Data Portability - The GDPR gives all data subjects the right to request a company or website to provide them a copy of all data collected on them in a machine-readable, easy-to-transfer manner.