Dubai Data Protection Compliance & Software
Dubai Data Protection Law
Dubai Data Privacy Law became effective on 1 July 2020. This Law repeals and replaces the Data Protection Law, being Law No. 1 of 2007, as it was in force immediately prior to the commencement of this Law (“the Previous Law”), and all Regulations made under the Previous Law from the commencement of Dubai’s Law.
The purpose of the Dubai Data Protection Law is to provide standards and controls for the Processing and free movement of Personal Data by a Controller or Processor and protect the fundamental rights of Data Subjects, including how such rights apply to the protection of Personal Data in emerging technologies.
Key highlights of Dubai Data Protection Law:
Know the difference between Virginia’s CDPA, CCPA and CPRA?
Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.
Data Subject Rights under Dubai Data Protection Law (Article 32-39)
- Right to withdraw consent (Article 32)
The Data Subject may withdraw consent at any time by notifying the Controller in accordance with Article 12(5). - Rights to access (Article 33)
Upon request, a Data Subject has the right to obtain from a Controller without charge and within one (1) month of the request about confirmation in writing as to whether or not Personal Data relating to him is being Processed and information at least as to the purposes of the Processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data are disclosed. - Right to rectification (Article 33)
Data Subject have the right to have inaccurate personal data rectified. - Right to deletion (Article 33)
The Data Subject has the right to require the Controller to erase the Data Subject’s Personal Data. - Right to object to Processing (Article 34)
A Data Subject has the right to object at any time on reasonable grounds relating to his situation to Processing of Personal Data relating to him. - Right to restriction of Processing (Article 35)
Data Subject shall have the right to require a Controller to restrict Processing. - Right to data portability (Article 37)
A Data Subject shall have the right to receive Personal Data in a structured, commonly used and machine-readable format. - Right related to automated individual decision-making (Article 38)
A Data Subject shall have the right to object to any decision based solely on automated Processing, including Profiling, which produces legal consequences concerning him or other seriously impactful consequences and to require such decision to be reviewed manually. - Right to Non-discrimination (Article 39)
A Controller may not discriminate against a Data Subject who exercises any rights under the Act.
Data Protection Officer (Article 16)
A DPO shall be appointed by:
- DIFC Bodies, other than the Courts acting in their judicial capacity; and
- A Controller or Processor performing High Risk Processing Activities on a systematic or regular basis.
A data protection officer must know the privacy Law in Dubai and its requirements and shall ensure a Controller or Processor monitors compliance with Laws of data protection in Dubai.
Where a Controller is required to appoint a DPO under the Act, the Data protection officer shall undertake an assessment of the Controller’s Processing activities, at least once per year (“the Annual Assessment”), which shall be submitted to the Commissioner.
How Mandatly helps you achieve Dubai Data Protection Law compliance?
Mandatly’s compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.