Last review date: 18 December 2024
Yes
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
The technical and organizational measures and procedures adopted by controllers and processors have to ensure that the information security level is commensurate with the risks associated with the relevant processing, in accordance with best international standards and practices.
Last review date: 18 December 2024
☒ public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)
☒ network information security requirements (broader than telecommunications)
☒ health regulatory requirements
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ digital or connected (IoT) products
Last review date: 18 December 2024
☒ financial services
☒ critical infrastructure
Last review date: 18 December 2024
Yes.
Last review date: 18 December 2024
☒ data protection authorities
☒ affected individuals
The controller shall, immediately upon becoming aware of any breach or violation of the data subject's personal data that could prejudice the privacy, confidentiality and/or security of that data, report to the Data Office such breach or violation within the period and in accordance with the procedures and conditions to be determined by the implementing regulations of the PDPL, including by submitting the information and documents listed in the PDPL.
The controller must also notify the data subjects in the event that the violation or breach occurred would prejudice the privacy, confidentiality and security of their personal data and inform them of the measures undertaken in connection with the breach, in accordance with the procedures and conditions to be determined by the implementing regulations of the PDPL.
Last review date: 18 December 2024
☒ controller/ owner
The processor must immediately inform the relative controller when a violation or breach occurs, and the controller will in turn be responsible for reporting the breach to the Data Office.
Last review date: 18 December 2024
☒ health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
Under the UAE Central Bank ("CBUAE") Consumer Protection Regulations and Consumer Protection Standards, banks and other Licensed Financial Institutions ("LFIs") must notify (i) the CBUAE of all "significant" breaches affecting consumer personal data; and (ii) affected consumers if the breach poses a "risk to their financial or personal security".
LFIs and banks are liable to reimburse consumers for actual harm suffered from a data breach.
With regard to the laws regulating healthcare activities: (i) the Abu Dhabi - Healthcare Information and Cybersecurity Standard issued on February 2019, under the standard control HI 2.1., states that the licensed entity has to establish processes to notify the health sector regulator of any probabilities of breaches involving healthcare information; and (ii) the Dubai Health Authority ("DHA") Policy on Health Data Protection and Confidentiality, under paragraph 4.18.5., states that the licensed entity must report any breach of health information to both the UAE Information Office and the DHA.