Personal Data: Any data relating to a specific natural person or relating to a natural person that can be identified directly or indirectly by linking the data, using identification elements such as his name, voice, picture, identification number, or his electronic identifier, his geographical location, or one or more of his physical, physiological, economic, cultural, or social characteristics, including sensitive personal data and biometric data.
Sensitive Personal Data: Any data that directly or indirectly discloses a natural person's family, ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data, or any data relating to that person's health, including his physical, psychological, mental, genetic, or sexual condition, including information related to the provision of health care services to him that reveals his health status.
Controller: The establishment or natural person who has personal data, and by virtue of its activity, determines the way, method, and criteria for processing this personal data and the purpose of its processing, whether alone or jointly with other persons or establishments.
Processor: The establishment or natural person that processes personal data on behalf of the controller so that he processes it under his direction and according to his instructions.
Data Protection Officer: Any natural or legal person appointed by the controller or processor, who undertakes the tasks of ascertaining the extent to which the entity to which he belongs complies with the controls, requirements, procedures, and rules for processing personal data protection stipulated in this Decree-Law, and to ensure the integrity of its systems and procedures in order to achieve compliance with its provisions.
Data breach: The process of breaching information security and breaching personal data through the illegal or unauthorised entry and access to them, including copying, sending, distributing, exchanging, transferring, circulating, or processing in a way that leads to disclosure or detection of this data to third parties, or its destruction or modification during the process of storage, transmission, and processing.
Cross-Border Processing: Dissemination, use, display, transmission, reception, retrieval, use, sharing or processing of personal data outside the geographical scope of the country.
Consent: The consent in which the data subject authorises a third party to process his personal data, provided that this consent is in a specific, clear, and unambiguous manner that he accepts the processing of his personal data through a clear positive statement or action.
Who will be the regulator?
The UAE Data office will be established which will act as the federal data regulator in the UAE. The office which is affiliated with the UAE Cabinet will be responsible for:
- preparing policies and legislations related to data protection
- proposing and approving the standards for monitoring Personal Data Protection Law
- preparing systems for complaints and grievances related to data
- issuing guidelines and instructions for the implementation of the Law