Федеральный декрет-закон № 45 от 2021 года о защите персональных данных

Статьи

1. Статья Article 1 - Scope and Objectives

   Article 1 of Federal Decree-Law No. 45 of 2021 establishes the law's purpose and application. The PDPL aims to protect personal data and the rights of data subjects in the UAE by regulating how personal information is collected, processed, stored, and shared. The law applies to both government entities and private sector organizations that handle personal data within UAE jurisdiction, ensuring compliance with principles of lawfulness, fairness, transparency, and data security throughout all processing activities.

2. Статья Article 2 - Scope of Application

   Article 2 of Federal Decree-Law No. 45 of 2021 (PDPL) establishes the law's territorial and material scope. The law applies to the processing of personal data by data controllers and processors established in the UAE, regardless of where processing occurs. It also covers processing by entities outside the UAE if they target UAE residents or offer goods/services to them. The law does not apply to personal data processing for national security, public safety, or by individuals for purely personal or household purposes unrelated to commercial activity.

3. Статья Article 3 - Scope of Application

   Article 3 of Federal Decree-Law No. 45 of 2021 establishes the law's territorial and material scope. The PDPL applies to personal data processing activities conducted by controllers and processors established in the UAE, regardless of where processing occurs. It also covers organizations outside the UAE that process personal data of UAE residents in connection with offering goods or services, or monitoring behavior. The law does not apply to individuals processing data for purely personal or household purposes, or to certain public authority activities related to national security and law enforcement, subject to specific exemptions outlined in the legislation.

4. Статья Article 4 - FDL-45-2021

   Article 4 of the UAE Personal Data Protection Law (FDL-45-2021) establishes the scope of application for data protection requirements. The law applies to the processing of personal data by controllers and processors established in the UAE, as well as to entities outside the UAE that offer goods or services to UAE residents or monitor their behaviour. The article ensures that the PDPL covers both domestic processing activities and extraterritorial conduct affecting UAE data subjects. Certain processing activities, including state security, defence, and public safety functions, may be exempt from specific provisions under justified circumstances outlined in implementing regulations.

5. Статья Article 5 — FDL-45-2021 (PDPL)

   Article 5 of Federal Decree-Law No. 45 of 2021 establishes principles for lawful processing of personal data. Organizations must process data only when they have a valid legal basis, such as data subject consent, contractual necessity, legal obligation, vital interests, public task performance, or legitimate interests. Processing must be fair, transparent, and limited to specified, explicit purposes. Data controllers are required to implement appropriate technical and organizational measures to ensure security and compliance with data protection principles throughout the processing lifecycle.

6. Статья Article 6

   Lawful bases for processing personal data: consent, contract, legal obligation, vital interest, public interest, legitimate interest.

7. Статья Article 7 - Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data

   Article 7 of FDL-45-2021 establishes the lawful basis for processing personal data. Processing is permitted only when the data subject provides explicit consent, or when necessary to fulfill a contract, comply with legal obligations, protect vital interests, perform public tasks, or pursue legitimate interests of the controller or third parties. The law requires that processing remain consistent with the purposes for which data was collected and that appropriate safeguards be implemented.

8. Статья Article 8 - Data Processing Lawfulness

   Article 8 of the UAE Personal Data Protection Law (FDL-45-2021) establishes the lawful bases for processing personal data. Processing is permitted only when the data subject has given explicit consent, or when processing is necessary for contract performance, legal obligations, vital interests protection, public tasks, or legitimate interests of the controller or third parties. The law requires that any processing must be fair, transparent, and limited to specified, explicit purposes. Organizations must document their lawful basis and ensure compliance with proportionality principles when handling personal information.

9. Статья Article 9 - FDL-45-2021

   Article 9 of Federal Decree-Law No. 45 of 2021 addresses the rights of data subjects regarding their personal data. Data subjects have the right to access their personal data held by controllers, receive confirmation of processing, obtain copies, and understand the purposes and legal basis for collection. The PDPL establishes mechanisms for individuals to exercise these rights through requests to data controllers, with responses required within specified timeframes. These access rights enable transparency and allow individuals to verify accuracy and lawfulness of their personal data processing.

10. Статья Article 10 - FDL-45-2021 (PDPL)

    Article 10 of the UAE Personal Data Protection Law (FDL-45-2021) establishes obligations for data controllers regarding personal data security. Controllers must implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, and loss. These safeguards must be proportionate to the nature and sensitivity of the data being processed. Controllers are required to ensure that persons authorized to process personal data are bound by confidentiality or equivalent legal obligations. The law further obligates controllers to adopt measures addressing data breach notification, employee training, and regular security assessments to maintain compliance with protection standards.

11. Статья Article 11 - FDL-45-2021

    Article 11 of the UAE Personal Data Protection Law (FDL-45-2021) establishes requirements for data controller accountability and transparency. Controllers must implement appropriate technical and organizational measures to ensure compliance with the law and demonstrate such compliance to the relevant authority. They are required to maintain records of processing activities, conduct data protection impact assessments where necessary, and implement privacy by design principles. Controllers must also establish clear policies and procedures for handling personal data and ensure staff are trained on data protection obligations. These measures aim to create a framework of accountability that protects individuals' rights while enabling lawful data processing.

12. Статья Article 12 - FDL-45-2021

    Article 12 of the UAE Personal Data Protection Law (FDL-45-2021) establishes the rights of data subjects concerning their personal information. Individuals have the right to access their personal data held by organizations, obtain copies, and request correction of inaccurate information. Data subjects may also request deletion of their data under specified conditions, withdraw consent for processing, and object to certain uses. Additionally, individuals have the right to data portability, enabling them to receive their information in a structured format and transfer it to other entities. These rights are fundamental to ensuring transparency and control over personal data handling in the UAE.

13. Статья Article 13

    Data subject rights: access, rectification, erasure, portability, restriction, objection, withdrawal of consent.

14. Статья Article 14 - Federal Decree-Law No. 45 of 2021

    Article 14 of the UAE Personal Data Protection Law (FDL-45-2021) establishes requirements for data controllers when transferring personal data to third parties. Controllers must obtain prior consent from data subjects before disclosure, except where permitted by law or necessary for specified legitimate purposes. The transfer must comply with data protection principles and contractual safeguards. Controllers remain liable for third-party processing if they fail to ensure adequate protection standards. The law requires documenting all transfer activities and maintaining records of recipients. Data subjects retain rights to access information about their data's recipients and the purposes of transfer.

15. Статья Article 22

    Data breach notification: controller must notify the UAE Data Office within 72 hours of confirmed assessment.