The Data Protection Law recognises two parties who deal with personal data:
- Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
- Data Controller: the subject or legal entity that decides on the processing of personal data.
Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.
According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:
- Legitimacy: Personal data must be collected and processed in a lawful manner;
- Consent: The data subject must give its consent for the processing of its personal data;
- Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
- Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
- Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
- Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
- Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.
Additionally, the following legal requirements should be taken into account when processing personal data:
- Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
- Personal data must not be obtained through deceptive or fraudulent means;
- In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
- Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.
According to the CDLP the processing of all data shall be carried out:
- In a manner consistent with the law;
- For the purposes permitted by the legal system; and
- With attention to the full exercise of the fundamental rights of the data subject.
Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.
Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.
Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.
Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:
- The law authorises it;
- The data subject expressly accepts said processing;
- Such data is necessary to establish or grant health benefits that pertain to the respective data subject.
Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.
Onshore - Entities handling medical patient data, ecommerce businesses, consumer businesses, central-bank licensees and telecoms licensees (including providers of IoT services) are subject to various requirements to keep data secured and confidential but these are largely high-level requirements without associated demonstrable compliance obligations; the exception to the above is that businesses handling medical data in relation to Abu Dhabi-licensed medical procedures must comply with the detailed patient health data standard issued by the Department of Health, which contains a comprehensive list of compliance obligations, similar in many respects to those found in the GDPR. Strict localisation requirements apply to medical personal data.
In general, due to the risk of criminal complaint for invasion of privacy, businesses operating onshore wishing to adopt a prudent approach are well-advised to implement a process for obtaining documented consent in relation to disclosure of personal information or any intrusive activity.
DIFC and ADGM – The principal data processing obligations are similar to GDPR, including that entities must: have a lawful basis for processing data; must process in accordance with principles such as purpose limitation; must provide information to data subjects when data is collected; must employ appropriate technical and organisational measures to protect data; must maintain a processing record; must be able to demonstrate compliance; must ensure processors are engaged under appropriate contractual terms; must respect data subject rights.
Dubai Healthcare City – the principles of the DHCR are similar to those found in the European Data Protection Directive, which predated the GDPR. Licensees must provide information to patients on the purposes for which their data are collected, must only use the data for such purposes, must keep it secure and must respect certain rights of the data subject.