Global Data and Cyber Handbook

UAE

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 18 December 2024

Yes.

In addition to the consent of the data subject that is considered the default legal basis, the PDPL provides for the following additional legal bases for processing personal data:

  1. the processing is necessary for the protection of the public interest;
  2. the processing is related to the personal data that has become publicly available and known by an act of the data subject;
  3. the processing is necessary to initiate or defend any claim or legal proceedings or when the processing is in connection with judicial or security proceedings;
  4. the processing is necessary for the purposes of occupational or preventive medicine in order to assess the employees' ability to work, for medical diagnosis, for health or social care, for treatment, for health insurance services or for the management of health or social care systems and services in accordance with the applicable legislation in the UAE;
  5. the processing is necessary to protect public health, including protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of healthcare, medicines, drugs and medical devices, in accordance with the applicable legislations in the UAE;
  6. the processing is necessary for archival purposes or for scientific, historical and statistical studies in accordance with the applicable legislation in the UAE;
  7. the processing is necessary for the protection of the data subject's interests;
  8. the processing is necessary for the purposes of the controller or data subject carrying out its obligations and exercising its legally established rights in the field of employment, social security or under the laws of social protection, to the extent permitted by such laws;
  9. the personal data is necessary to perform a contract with the data subject or to take measures at the request of the data subject with the aim of concluding, amending or terminating a contract;
  10. the processing is necessary to implement specific obligation in other laws in the country of the controller; and
  11. any other cases to be specified in the implementing regulations.

The following are potential legal bases for processing personal data:

☒    the data subject has provided consent to the processing for the identified purposes
☒    the personal data is necessary to perform a contract with the data subject
☒    the personal data is necessary to comply with a legal obligation
☒    the personal data is necessary to protect the vital interests of a natural person
☒    the personal data is necessary for a public interest
☒    the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)
☒    other

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 18 December 2024

☒ Yes

The same legal bases required for processing personal data apply to sensitive personal data; the PDPL does not currently differentiate between the processing of personal data and sensitive personal data.

The following are potential legal bases for processing sensitive personal data:

☒    the data subject has given consent to the processing, where consent is measured to the same standard as non-sensitive personal data
☒    processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
☒    processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
☒    processing relates to personal data which are manifestly made public by the data subject
☒    processing is necessary for the establishment, exercise or defense of legal claims
☒    processing is necessary for reasons of substantial public interest
☒    processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
☒    processing is necessary for reasons of public interest in the area of public health
☒    processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
☒    other

Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 18 December 2024

There are no specific provisions in the PDPL regulating the processing of minors' data.

In what circumstances do these special requirements apply?

Last review date: 18 December 2024

N/A

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 18 December 2024

There are no special requirements on this regard, however consent should technically be obtained from an adult in order to be relied on in the local courts. Market practice varies greatly particularly in the context of downloading mobile applications and use of online services.

{{ $store.state.loadingScreen.message }} ...