United Arab Emirates
| OVERVIEW | The United Arab Emirates is one of the few countries in the Middle East to enact comprehensive privacy and data protection legislation. |
| ENACTED | 2007 |
| GENERAL PRIVACY LAWS | The Constitution of the United Arab Emirates guarantees the right to privacy. Article 31 of the Constitution states that an individual enjoys: “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law.” |
| PERSONAL DATA PROTECTION LAWS AND REGULATIONS |
Data Protection Law of 2007 is modeled on the European Union’s Data Protection Directive. The Law regulates the collection, handling, disclosure, storage and use of personal data and also grants certain rights to the individuals to whom the data relates. The DPL is based on the principles contained in the EU Data Protection Directive. Part 4 of the Data Protection Law requires data controllers to register with the Data Protection Office prior to beginning the processing of Personal Data. |
| TYPE OF DATA PROTECTED | Personal Data that is defined as “any information relating to an Identifiable Natural Person.” An “Identifiable Natural Person” is defined as: “is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity.” |
| WORKPLACE PRIVACY LAWS | Likely to be governed by the general principles of the Data Protection Law. There is no law specifically related to workplace monitoring. |
| TRANSBORDER TRANSFERS |
Article 11 of the Data Protection Law provides that personal data can only be transferred outside of the country if the transfer is to a place that provides adequate protection. Article 12 provides how data transfers can take place if the location does not have adequate protection. |
| FINES AND SANCTIONS | Pursuant to Section 25 of the Data Protection Law, the Commissioner of Data Protection has the authority to enforce the law. The Commissioner can issue warning or admonishments and make recommendations to Data Controllers; initiate legal proceedings for non-compliance; issue fines and initiate legal proceedings to recover damages for non-compliance. |
| OTHER PRIVACY LAWS AND REGULATIONS |
Article 18 of the Data Protection Law provides that the data controller must notify the data subject the first time his personal data will be disclosed to third parties or used for marketing and expressly offered an opportunity to object. “Where such objection is justified,” the data controller cannot continue to send marketing to the data subject. Article 378 of the Penal Code prohibits the publication of peope’s private affairs. Violations can be punished by confinement for a period not exceeding one year and by a fine. Article 379 prohibits those who learn secrects because of their profession from disclosing such secrets. Violations can be punished by confinement and by a fine. The Dubai Electronic Transactions and Commerce Law prohibits the intentional disclosure of any information included in records or files or electronic messages which became accessible to the individual through his or her employment, subject to certain exceptions. Violations are punishable by imprisonment and/or a fine of up to 100,000 DHS (19,700 EUR). |