Dubai Data Protection Compliance & Software

Dubai Data Protection Law

Dubai Data Privacy Law became effective on 1 July 2020. This Law repeals and replaces the Data Protection Law, being Law No. 1 of 2007, as it was in force immediately prior to the commencement of this Law (“the Previous Law”), and all Regulations made under the Previous Law from the commencement of Dubai’s Law.

The purpose of the Dubai Data Protection Law is to provide standards and controls for the Processing and free movement of Personal Data by a Controller or Processor and protect the fundamental rights of Data Subjects, including how such rights apply to the protection of Personal Data in emerging technologies.

Who must comply with Dubai Data Protection Law? (Article 6)

Dubai Data Protection Law applies to:
Any Processor or Controller incorporated in the DIFC, regardless of whether the Processing takes place in the DIFC or not or

  • Any business (regardless of its place of incorporation) which processes personal data within the DIFC as part of stable arrangements or
  • For any Controller or Processor carrying out processing activity in DIFC, it includes transfers of Personal Data out of the DIFC or
  • Any business which processes data on behalf of either of the above.

This Law does not apply to the Processing of Personal Data by natural persons in the course of a purely personal or household activity that has no connection to a commercial purpose.

Enforcement under Dubai Data Protection Law (Article 62)

The details of these fines are listed under Schedule 2 of the Law. The new law sets a maximum fine of USD 100,000 for administrative breaches, with additional scope for larger fines (unlimited) for more serious violations.

The law adds the ability for compensation claims to be made by or on behalf of data subjects.

DIFC - Mandatly Inc.

Key highlights of Dubai Data Protection Law:

Personal DataAny information referring to an identified or Identifiable Natural Person.
Data Subject RightsThe Dubai Data Protection Law provides the data subject rights, which largely mirror those provided by the GDPR.
Data ControllerAny person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
Privacy AssessmentsControllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Download White Paper
Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

Data Subject Rights under Dubai Data Protection Law (Article 32-39)

  1. Right to withdraw consent (Article 32)
    The Data Subject may withdraw consent at any time by notifying the Controller in accordance with Article 12(5).
  2. Rights to access (Article 33)
    Upon request, a Data Subject has the right to obtain from a Controller without charge and within one (1) month of the request about confirmation in writing as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed.
  3. Right to rectification (Article 33)
    Data Subject have the right to have inaccurate personal data rectified.
  4. Right to deletion (Article 33)
    The Data Subject has the right to require the Controller to erase the Data Subject’s Personal Data.
  5. Right to object to Processing (Article 34)
    A Data Subject has the right to object at any time on reasonable grounds relating to his situation to Processing of Personal Data relating to him.
  6. Right to restriction of Processing (Article 35)
    Data Subject shall have the right to require a Controller to restrict Processing.
  7. Right to data portability (Article 37)
    A Data Subject shall have the right to receive Personal Data in a structured, commonly used and machine-readable format.
  8. Right related to automated individual decision-making (Article 38)
    A Data Subject shall have the right to object to any decision based solely on automated Processing, including Profiling, which produces legal consequences concerning him or other seriously impactful consequences and to require such decision to be reviewed manually.
  9. Right to Non-discrimination (Article 39)
    A Controller may not discriminate against a Data Subject who exercises any rights under the Act.

Data Protection Officer (Article 16)

A DPO shall be appointed by:

  1. DIFC Bodies, other than the Courts acting in their judicial capacity; and
  2. A Controller or Processor performing High Risk Processing Activities on a systematic or regular basis.

A data protection officer must know the privacy Law in Dubai and its requirements and shall ensure a Controller or Processor monitors compliance with Laws of data protection in Dubai.

Where a Controller is required to appoint a DPO under the Act, the Data protection officer shall undertake an assessment of the Controller’s Processing activities, at least once per year (“the Annual Assessment”), which shall be submitted to the Commissioner.

How Mandatly helps you achieve Dubai Data Protection Law compliance?

Mandatly’s compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.

Data Subject Rights (DSR) - Mandatly Inc.
Consumer RightsEnd-to-end DSAR fulfillment solution with automated identity verification and data discovery to fulfill the consumer request timely, securely, and efficiently.
Data Inventory and Mapping - Mandatly Inc.
Data Inventory and MappingMaintain your data sources and map data flows to meet the "Lookback" requirements.
Assessment Portal - Mandatly Inc.
Privacy AssessmentsBundled with intelligence to uncover and assess privacy risks that your business can be exposed to.
Privacy Notices - Mandatly Inc.
Privacy NoticesGenerate privacy notices for your website or applications to keep your customers informed about how their Personal Information is collected, processed, and shared.
Automated 'Do Not Sell' Requests Handling - Mandatly Inc.
Do not sell my informationEnables customers to opt-out of the cookie based and non-cookie based sale of personal information.
Reporting and Governance - Mandatly Inc.
AnalyticsReporting features are built into the system to get a holistic view of the compliance program for different stakeholders.

Start with our forever free edition

Get Started Free

No credit card required

Recent Articles

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024Understanding New Data Privacy LawIn the ever-ex...
Read more
The Role of Employee Training in GDPR Compliance and Data Security - Mandatly Inc.

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Read more
The Intersection of GDPR & Cybersecurity - Mandatly Inc.

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
Read more
Cross Border Data Transfer & Legal Framework - Mandatly Inc.

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
Read more
Future Data Privacy Trends in the Digital Age - Mandatly Inc.

Navigating the Complex Landscape of Data Privacy Compliance

Data Privacy Compliance in E-commerce: Navigating the Complex LandscapeIn the digital age, data privacy has emerged as a crit...
Read more
The GDPR and the EU-U.S. Data Privacy Framework: A Symbiotic Relationship - Mandatly Inc.

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
Read more