Last review date: 18 December 2024

The list of information that must be provided to a data subject prior to beginning processing is less extensive than the equivalent list that must be provided pursuant to the GDPR. Indeed, under the PDPL, the only information that a controller needs to provide to the data subject before starting the processing are (i) the purposes of processing, (ii) the targeted sectors or establishments with whom his/her personal data will be shared from inside and outside the UAE, and (iii) the protection measures for cross border processing carried out in accordance with the relevant articles under the PDPL. However, further disclosures will likely need to be made in a privacy notice in order to comply with the general obligation to process personal data in a manner that is fair and transparent and, where relying on consent, to ensure that it is valid under the PDPL, and the implementing regulations may introduce further specific requirements.

☒    the identity and the contact details of the controller and, where applicable, of the controller's representative
☒    the legal basis for the processing
☒    the categories of personal data concerned
☒   the recipients or categories of recipients of the personal data, if any
☒    information regarding data transfers to third countries, where applicable, and reference to appropriate or suitable safeguards and the means by which by to obtain a copy of them or where they have been made available
☒    the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
☒    the existence of data subjects' rights, such as the right to access, rectification, erasure, data portability, etc.
☒    the existence of the right to withdraw consent if processing is based on consent
☒   the right to lodge a complaint with a supervisory authority
☒    if applicable, information regarding automated decision making, including profiling
☒    other

Last review date: 18 December 2024

Yes.

Data subjects have the following data privacy rights, although the specifics of the scope and conditions for each of these vary depending on the circumstances and local law:

☒   right to access the data subject's own personal data
☒   right to rectify/correct the data subject's own personal data where inaccurate or incomplete
☒   right to erasure of personal data
☒   right to restrict data processing
☒   right to data portability
☒   right to object to the processing of personal data
☒   right to withdraw consent
☒   other

In addition to the above rights, the data subject has the right to object to decisions issued with respect to automated processing that have legal consequences or seriously affect the data subject.

In addition, the PDPL (Right to obtain information) dictates the information that should be made available to the data subject on request: including details of the type of personal data; purposes of processing; decisions made based on automated processing (including profiling); targeted sectors or establishment with which personal data is to be shared; controls and standards for the periods of storing and keeping personal data; procedures for correcting, erasing or limiting the processing and objection to personal data; protection measures for cross-border processing; steps to be taken in the event of a breach or infringement of personal data; and the process for filing complaints with the Data Office.

Last review date: 18 December 2024

☒ Yes

There are accountability and governance requirements, which oblige controllers to:

• perform and document data protection impact assessments ("DPIAs") for high-risk processing;
• maintain a record of processing activities;
• implement appropriate measures to comply with data privacy and security;
• demonstrate compliance with data privacy and security;
• identify a specific individual as the data privacy contact for data subject or data protection authority inquiries;
• audit or supervise data processors.