Data Protection in the UAE
Data protection has become a hot topic for businesses in recent years and is an area a start-up should pay particular attention to, especially in relation to its customers and its employees.
The position in the UAE
There is no comprehensive data protection law in the UAE at a federal level.
The UAE financial free zones have their own specific data protection regulations and procedures. For instance, the Dubai International Financial Centre and the Abu Dhabi Global Market have issued their own data protection laws which regulate the handling, processing, storage and transfer of personal data. If you intend to set up your start-up in one of the free zones, it is important that you familiarise yourself with the data protection position of the relevant free zone, as it is likely to differ from the general UAE position explored in this article. We also note that there are sector-specific regulations that may need to be complied with. Please do contact us if you would like further information on data protection, as we can assist and provide guidance with the particularities of the position for your business.
Collection and Processing of Data
As there is no comprehensive data protection law in the UAE, there are no clear requirements for how a start up should conduct the collection and processing of data. However, on a wide interpretation of Article 379 of the Penal Code, this provision could apply to the processing or transfer of data. Article 379 provides that a person who is entrusted with a secret, which may be in the capacity of their profession, is prohibited from using or disclosing the secret without consent or otherwise in accordance with law. As the terms used in Article 379 are not defined, "secret" could be widely interpreted to include personal data, and "use" and "disclose" could be broadly interpreted to cover the transfer or processing of data. Contravention of Article 379 can result in imprisonment for a minimum of 1 year and/or a fine of up to AED 20,000.
Consent of data subjects, whether this is customers or employees, should therefore be obtained before personal data is transferred, processed or collected. We also note that obtaining written consent is best practice.
It is important that a start-up understands the laws and requirements surrounding the handling of an employee's data in order to avoid any monetary and reputational damage early on in its lifespan.
Similarly to there being no comprehensive data protection law in the UAE, there is an absence of regulations concerning privacy and personal data in UAE Labour Law No. 8 of 1980 (as amended) (the UAE Labour Law). While the UAE Labour Law does not regulate the way employers handle or transfer employee data, it does require that employers maintain records and files for each employee.
We note that best practice in the UAE would be for employers to obtain the consent of employees before handling personal data or conducting background checks during the employment process. Again, to obtain written consent would be the recommended approach.
It should also be borne in mind that the principles of Sharia Law encourage the protection of people's privacy and this should be kept in mind when conducting business in the UAE.
Exemption to the general rule
As set out in this article, the general rule concerning personal data is that the consent of the data subject should be obtained. However, it would be prudent to note that Federal Law No. 3 of 1987 (Penal Code) provides an exemption to this rule being that personal data may be disclosed without written consent, or a secret may be disclosed without authorisation where (i) a UAE official or public authority has required the transfer of data and (ii) the transfer serves public interest or national security interests.
In our next article in this series, we will explore the formation of contracts and the essential elements required for the formation of contracts in the UAE.