Data Protection in UAE - General

Transfer in UAE - General

Data transfers out of the UAE may be subject to different laws.

The PDPL imposes limitations on the international transfer of Personal Data to outside of the UAE.  Similar to the concept of the “adequate jurisdictions” in the EU, the Data Office is expected to approve certain territories as having sufficient provisions, measures, controls, requirements and rules for protecting privacy and confidentiality of personal data. There are also various other exceptions which exporters can rely on, although further details are awaited from the Data Office.

Article 10 of the SVF Regulation requires that customer data (including customer identification and transaction records) are stored and maintained in the UAE.

Article 13 of the ICT in Health Fields Law requires that  Health Information and data related to the health services provided in the UAE may not be stored, processed, generated or transferred outside the UAE, unless in the cases defined by virtue of a decision issued by the Health Authority of the relevant emirate in coordination with the Federal Ministry of Health.  Federal Ministerial Decision No 51 of 2021 Cases Allowing the Storage and Transfer of Medical Data and Information Out of the State, outlines the circumstances in which such Health Information may be transferred outside of the UAE. The Federal level also requirements need to be considered against various Emirate level policies, procedures and guidance documents which, depending upon the location of the relevant parties, patients and the nature of the activities being performed may also impact the collection, processing and international transfer of health information. 

In addition, in circumstances where telecommunications service providers provide subscriber information to affiliates or third parties directly involved in the supply of the telecommunications services ordered by a subscriber, the third parties are required to take all reasonable and appropriate measures to protect the confidentiality and security of the subscriber information, and use such information only as needed for the provision of the requested services. Telecommunications service providers are required to ensure that the contracts between them and any affiliate or third party holds the other party responsible for the privacy and protection of the subscriber’s information (TDRA Consumer Protection Regulations v2.0, Article 24.9).

Continue reading

  • no results

Previous topic
Back to top