{"id":104288,"date":"2025-05-20T11:18:48","date_gmt":"2025-05-20T11:18:48","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=104288"},"modified":"2025-08-19T10:26:37","modified_gmt":"2025-08-19T10:26:37","slug":"uae-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/uae-data-protection-cybersecurity\/","title":{"rendered":"United Arab Emirates: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-104288","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-uae"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Bizilance Legal Consultants<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/04\/Logo-Bizilance-Legal-Consulatnts-UAE.jpeg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Bizilance Legal Consultants<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/04\/Logo-Bizilance-Legal-Consulatnts-UAE.jpeg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in United Arab Emirates<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The United Arab Emirates has the following regulatory framework concerning personal data protection:<\/p>\n<p><strong>Federal Decree Law No. 45 of 2021<\/strong> on Personal Data Protection (the UAE Law). The UAE Law is applicable al across the UAE except for a few specified sectors and the free zones. The UAE Law is regulated by the UAE Data Office (the Data Office). The UAE Law is not applicable to following:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Governmental data<\/li>\n<li>Governmental authorities which control and process personal data<\/li>\n<li>Security and judicial authorities<\/li>\n<li>Banking and credit personal data<\/li>\n<li>Companies and organizations incorporated in free zones and governed by special personal data protection legislation<\/li>\n<\/ul>\n<p><strong>Data Protection Law 2020<\/strong> of the Dubai International Financial Center (the DIFC Law). The DIFC Law is applicable in DIFC. The DIFC Law is regulated by the Commissioner (the Commissioner).<\/p>\n<p><strong>Data Protection Regulations 2021<\/strong> of the Abu Dhabi Global Market (the ADGM Regulations). The ADGM Regulations are applicable in ADGM. The Commissioner of Data Protection (the Commissioner of Data Protection) is responsible to regulate the ADGM Regulations.<\/p>\n<p>Sectoral specific regime concerning personal data protection is as follows:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Federal Law No. 14 of 2018 (concerning Central Bank of the UAE) governs data protection of banks\u2019 customers<\/li>\n<li>Federal Law No. 3 of 2003 (concerning telecommunication) governs data protection of telecom consumers<\/li>\n<li>Federal Law No. 2 of 2019 (concerning use of Information and Communication Technology in health fields) governs the confidentiality of patient\u2019s information<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The executive regulations to the UAE Law have not been issued. The UAE Law will be implemented within a period of six months following the issuance of executive regulations. It is expected that these executive regulations will be issued soon by the UAE Data Office.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As the executive regulations to the UAE have not been issued, therefore no registration mechanism has been established.<\/p>\n<p>The DIFC Law requires that a controller or processer shall register with the Commissioner.<\/p>\n<p>The applicable fees for registration vary based on the type of entity:<\/p>\n<ul style=\"padding-left: 0\">\n<li><strong>Category I <\/strong>: USD 1,250<\/li>\n<li><strong>Category II <\/strong>: USD 750<\/li>\n<li><strong>Category III <\/strong>: USD 250<\/li>\n<\/ul>\n<p>The ADGM Regulations requires a controller to pay a data protection fee and notify (to the Commissioner of Data Protection) its name, address and the date it commenced processing personal data.<\/p>\n<p>Failure to register with the relevant regulatory authorities results in non-compliance with applicable data privacy laws, thereby attracting the penalties prescribed for such violations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How do the data protection laws in your jurisdiction define \u201cpersonal data,\u201d \u201cpersonal information,\u201d \u201cpersonally identifiable information\u201d or any equivalent term in such legislation (collectively, \u201cpersonal data\u201d)? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., \u201ccontroller\u201d, \u201cprocessor\u201d, \u201cdata subject\u201d, etc.)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p><strong>Processing<\/strong>: An operation or set of operations which is performed on personal data using any electronic means including other means, such as collection, storage, recording, structuring, adaptation or alteration, handling, retrieval, exchange, sharing, use, characterization, disclosure by transmission, dissemination, distribution or otherwise making available, alignment, combination, restriction, erasure, destruction or creation of a model of personal data.<\/p>\n<p><strong>Processer<\/strong>: An establishment or a natural person who processes the personal data on behalf of the controller and under his supervision and instructions.<\/p>\n<p><strong>Controller<\/strong>: The establishment or the natural person who is in the possession of the personal data and who by virtue of its activity alone or jointly with others determines the means, methods, standards and purposes of the processing of personal data.<\/p>\n<p><strong>Data Subject<\/strong>: The natural person to whom personal data relates.<\/p>\n<p><strong>Personal Data<\/strong>: Any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as his name, voice, picture, identification number, electronic identifier, geographical location, or one or more physical, physiological, cultural or social characteristics. Personal data includes sensitive personal data and biometric data.<\/p>\n<p><strong>Sensitive Personal Data<\/strong>: Any information that directly or indirectly reveals a person\u2019s race, ethnicity, political or philosophical views, religious beliefs, criminal record, biometric data, or any data related to such person\u2019s health such as his physical, psychological, mental, corporal, genetic or sexual state, including any information related to such person\u2019s provision of healthcare services that reveal his health condition.<\/p>\n<p><strong>Consent<\/strong>: The consent by which the data subject authorizes third parties to process personal data relating to him, provided that such consent is clear, specific and unambiguous indication of the data subject\u2019s agreement by a statement or clear affirmative action, to the processing of the personal data relating to him.<\/p>\n<p><strong>The DIFC Law<\/strong><\/p>\n<p><strong>Process, Processed, Processes and Processing (and other variants)<\/strong>: Any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or sets of operations performed on Personal Data by:<\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose; or<\/li>\n<li>law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.<\/li>\n<\/ol>\n<p><strong>Processer<\/strong>: Any person who Processes Personal Data on behalf of a Controller.<\/p>\n<p><strong>Controller<\/strong>: Any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.<\/p>\n<p><strong>Data Subject<\/strong>: The identified or Identifiable Natural Person to whom Personal Data relates.<\/p>\n<p><strong>Personal Data<\/strong>: Any information referring to an identified or Identifiable Natural Person.<\/p>\n<p><strong>Special Categories of Personal Data: <\/strong>Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.<\/p>\n<p><strong>Consent<\/strong>: Consent must be freely given by a clear affirmative act that shows an unambiguous indication of consent if it is to be relied on as a basis for processing. If the performance of an act by a Controller, a Data Subject or any other party, (including the performance of contractual obligations), is conditional on the provision of consent to Process Personal Data, then such consent will not be considered to be freely given with respect to any Processing that is not reasonably necessary for the performance of such act or where the consent relates to excessive categories of Personal Data. (the term \u201cconsent\u201d is not defined. Conditions of consent are described at Section 12(1) of the DIFC Law).<\/p>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<p><strong>Processing<\/strong>: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.<\/p>\n<p><strong>Processor<\/strong>: A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.<\/p>\n<p><strong>Controller<\/strong>: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.<\/p>\n<p><strong>Data Subject<\/strong>: An identified or identifiable living natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.<\/p>\n<p><strong>Personal Data<\/strong>: Any information relating to a Data Subject.<\/p>\n<p><strong>Special Categories of Personal Data<\/strong><strong>:<\/strong><\/p>\n<ol style=\"padding-left: 0\" type=\"a\">\n<li>Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;<\/li>\n<li>Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person&#8217;s sex life or sexual orientation; and<\/li>\n<li>Personal Data relating to criminal convictions and offences or related security measures.<\/li>\n<\/ol>\n<p><strong>Consent<\/strong>: Consent means any freely given, specific, informed and unambiguous indication of the Data Subject&#8217;s wishes by which they (whether in writing, electronically or orally), by a statement or by a clear affirmative action, signify agreement to the Processing of Personal Data relating to them.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law requires that processing of personal data is to take place in accordance with the following rules:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Fairness, transparency and lawfulness<\/li>\n<li>Purpose specification<\/li>\n<li>Adequacy and relevance<\/li>\n<li>Correct, accurate and update<\/li>\n<li>Ensure to erase or rectify the incorrect data<\/li>\n<li>Safety and security<\/li>\n<li>Not to store the personal data after the end of the purpose (may be maintained if identity of data subject is anonymized)<\/li>\n<li>Any other controls as may be specified by the executive regulations<\/li>\n<\/ul>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>The lawful basis under above are:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Consent<\/li>\n<li>Necessity for the performance of a contract to which data subject is a party<\/li>\n<li>Necessity for compliance with applicable law to which controller is subject to<\/li>\n<li>Necessity to protect vital interests of a data subject or of another natural person<\/li>\n<li>Necessity for the performance of a task carried out by DIFC body\/public authority in the interest of ADGM, or in exercise of powers and functions of DIFC body\/ADGM\/Financial Services Regulatory Authority\/ADGM Courts\/Registration Authority, or exercise of powers and functions vested by DIFC body by a third party to whom personal data is disclosed by the DIFC body<\/li>\n<\/ul>\n<p>Necessity for the purposes of legitimate interests pursued by a controller or by a third party, except where such interests are overridden by the interests or rights of a data subject.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law provides that processing of personal data without consent is prohibited. Following are the exceptions where processing may be carried out without consent:<\/p>\n<ul style=\"padding-left: 0\">\n<li>processing is necessary for the reasons of public interest<\/li>\n<li>processing relates to personal data made publicly available by data subject<\/li>\n<li>processing is necessary to initiate or defend proceedings related to claim of rights and legal actions or in relation to judicial or security procedures<\/li>\n<li>processing is necessary for the purposes of occupational or preventive medicine to assess working capacity of employee, medical diagnosis, etc, in accordance with the applicable law<\/li>\n<li>processing is necessary for protection of public health in accordance with the applicable law<\/li>\n<li>processing is necessary for archiving, scientific, historical or statistical studies in accordance with the applicable law<\/li>\n<li>processing is necessary to protect the interests of data subject<\/li>\n<li>processing is necessary for performance of obligations and establish rights related to recruitment or social security in accordance with the applicable law<\/li>\n<li>processing is necessary for performance of a contract to which the data subject is a party or for taking actions on the request of the data subject for the purpose of concluding, amending or terminating a contract<\/li>\n<li>processing is necessary for compliance with obligations prescribed under laws of the UAE to which the controller is subjected to<\/li>\n<li>situations specified by the executive regulations.<\/li>\n<\/ul>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>Consent is one of the \u201clawful\u201d bases to process the personal data under above.<\/p>\n<p>RULES RELATING TO THE FORM, CONTENT AND ADMINISTRATION OF CONSENT:<\/p>\n<p>The UAE Law provides following in relation to consent:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Controller must be able to prove consent of data subject when processing is based on consent<\/li>\n<li>Consent is to be clear, simple, unambiguous and accessible (whether in written or electronic form)<\/li>\n<li>Consent must contain the right of data subject to withdraw consent and withdrawal process must be easy<\/li>\n<li>Data subject, at any time, has the right to withdraw consent<\/li>\n<\/ul>\n<p><strong>The DIFC Law<\/strong><\/p>\n<p>The DIFC provides following in relation to consent:<\/p>\n<ul style=\"padding-left: 0\">\n<li>When processing is based upon consent the controller must be able to demonstrate that consent has been freely given<\/li>\n<li>Consent must be obtained for each purpose in a manner that is clearly distinguishable in an intelligible and easily accessible form using clear and plain language<\/li>\n<li>The request for consent for the processing of personal data must be clearly distinguishable from other matters (consents other than for processing of personal data) in an intelligible and easily accessible form using clear and plain language<\/li>\n<li>Data subject may withdraw the consent at any time<\/li>\n<li>The controller is to implement appropriate and proportionate measures to assess the ongoing validity of the consent (except for a single discrete incident)<\/li>\n<li>Controller must be able to demonstrate to the Commissioner that appropriate methods and procedures are employed to manage the recording and withdrawal of consent and that periodic evaluations of the same are conducted<\/li>\n<li>Data subject be given opportunity to re-affirm or withdraw the consent on a periodic basis (except in case of a single discrete incident)<\/li>\n<\/ul>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<p>The ADGM Regulations provides following in relation to consent:<\/p>\n<ul style=\"padding-left: 0\">\n<li>When the processing is based upon consent, controller must be able to demonstrate that data subject has consented to the processing<\/li>\n<li>Silence, pre-ticked boxes or inactivity do not constitute consent<\/li>\n<li>Data subject to be aware of at least identity of the controller and the intended purposes of processing<\/li>\n<li>In case where consent is given in the context of a written declaration also containing other matters the request for consent to process personal data is to be presented in a manner which is clearly distinguishable from other matters in an intelligible and easily accessible form using clear and plain language<\/li>\n<li>Any part of the written declaration, as aforesaid, which constitutes contravention of the ADGM Regulations will not be binding<\/li>\n<li>Data subject has the right to withdraw the consent at any time and withdrawal of consent must be as easy as it is to give consent<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The UAE Law states that a personal data protection impact assessment is a necessity where processing involves large scale of sensitive personal data.<\/p>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>The DIFC Law and the ADGM Regulations permit processing of special categories of personal data in certain specified situations, including:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Explicit consent of the data subject<\/li>\n<li>Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or data subject concerning employment<\/li>\n<li>Processing is necessary to protect vital interests of data subject<\/li>\n<li>Processing by a foundation, association or any other non-profit-seeking body in the course of its legitimate activities<\/li>\n<li>Processing related to personal data that has been made public by the data subject<\/li>\n<li>Processing is necessary for the establishment, exercise or defence of legal claims<\/li>\n<li>Processing is necessary for compliance with a specific requirement of a law applicable to the controller<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law is not applicable on data subject who processes data relating to him for personal purposes. The Data Office has the powers to exempt certain establishments which do not process a large scale of personal data from any or all requirements of the UAE Law, in accordance with the standards and controls to be specified by the Executive Regulations.<\/p>\n<p><strong>The DIFC Law<\/strong><\/p>\n<p>The DIFC Law is not applicable to the processing of personal data by natural persons in the course of purely personal or household activity that has no connection to a commercial purpose. The DIFC Board of Directors may make regulations to exempt controllers from compliance with the DIFC Law (or any part thereof). Certain provisions of the DIFC Law are not applicable on DIFC bodies. DIFC bodies are DIFC Authority, Dubai Financial Services Authority, DIFC courts and any other person, body, office, registry or tribunal established under DIFC laws or established upon approval of the President of the DIFC that is not revoked by the DIFC Law of by any other DIFC law.<\/p>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<p>The ADGM Regulations are not applicable to the processing of personal data by a natural person for the purposes of purely personal or household activity. In addition, the ADGM Regulations are not applicable on the processing of personal data by public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including safeguarding against and the prevention of threats to national security.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Controllers are required to undertake a \u201cdata protection impact assessment\u201d before carrying out processing which is likely to result in a high risk to the rights of natural persons. In addition, the UAE Law places a mandatory requirement for a data protection impact assessment in the following cases:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Where processing involves systematic and extensive evaluation of personal aspects of the data subject which is based on automated processing (including profiling) having legal effects to significantly impact the data subject<\/li>\n<li>Where processing involves large scale of sensitive personal data.<\/li>\n<\/ul>\n<p>DIFC Law &amp; ADGM Regulations<\/p>\n<p>Controllers are required to carry out data protection impact assessment (DPIA) prior to the High Risk Processing Activities, in view of the potential risk to the rights of the data subjects. Under the ADGM Regulations the Controller must seek advice from the data protection officer (where designated) in relation to the DPIA, where as , DIFC law states that a data protection officer , where appointed, shall be responsible for overseeing DPIA.<\/p>\n<p>In DIFC Law, the Commissioner can publish indicative lists of High-Risk Processing activities (where data protection impact assessment will be a requisite) and can also publish a list of those processing activities which will be exempted from requiring a DPIA. These lists serve as guidance and do not limit a Controller\u2019s responsibilities under the data protection law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No such specific codes of practice have been issued.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The controller is to maintain the following records:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Details of controller and the data protection officer<\/li>\n<li>Description of categories of personal data<\/li>\n<li>Data related to persons authorized to access personal data<\/li>\n<li>Timeframe, restrictions and scope of processing<\/li>\n<li>Erasure, modification or processing mechanism<\/li>\n<li>Purpose of the processing<\/li>\n<li>Data related to cross-border transfer and its processing<\/li>\n<li>Description of technical and organizational actions related to information security and processing<\/li>\n<\/ul>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>Following written records are required to be kept:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Name and contact details of controller, joint controller (where applicable) and the data protection officer<\/li>\n<li>Purpose of processing<\/li>\n<li>Description of categories of data subjects and of personal data<\/li>\n<li>Categories of recipients to whom personal data has been or will be disclosed<\/li>\n<li>Identification of location (third country) or international organization to which personal data is transferred including documents in relation to suitable safeguards<\/li>\n<li>Time limits for erasure of the different categories of personal data (where possible)<\/li>\n<li>General description of the technical and organizational measures for security of personal data (where possible)<\/li>\n<\/ul>\n<p>The businesses typically meet these requirements by way of documented policies and procedures.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend data retention and\/or data disposal policies and procedures? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law requires that personal data must not be stored after the completion of the purpose of its processing. The UAE Law further provides that personal data may be maintained (after completion of purpose) in case identity of the data subject is concealed through anonymization.<\/p>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>Controller and processer are required to have policy and process to securely and permanently delete, anonymize, pseudonymize, encrypt the personal data or to put it beyond further use when grounds for data retention no longer apply.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>There is no mandatory requirement to consult the regulator under the UAE Law.<\/p>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>A controller is required to consult\/notify the Commissioner\/Commissioner of Data Protection where data protection impact assessment indicates that processing would have high risks to the rights of the data subject.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The requirements for appointments of a data protection officer (DPO) are as under.<\/p>\n<p><strong>The UAE Law <\/strong><\/p>\n<ul style=\"padding-left: 0\">\n<li>DPO is required to be appointed when the processing is likely to result in a high risk to the privacy and confidentiality of personal data, due to adoption of new technologies or due to amount of data<\/li>\n<li>DPO is required to be appointed where the processing involves a systematic and overall assessment of sensitive personal data, including profiling and automated processing<\/li>\n<\/ul>\n<p>The executive regulations will specify the kinds of technologies and standards of determination related to the above.<\/p>\n<p><strong>The DIFC Law<\/strong><\/p>\n<ul style=\"padding-left: 0\">\n<li>DPO is required to be appointed by the Commissioner, DIFC Authority and by Dubai Financial Services Authority<\/li>\n<li>DPO is required to be appointed by a controller or processer performing high-risk activities on a systematic or regular basis<\/li>\n<li>A controller or processer (other than above) may be required to designate a DPO by the Commissioner<\/li>\n<\/ul>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<ul style=\"padding-left: 0\">\n<li>DPO is required to be appointed where processing is carried out by a public authority except for courts acting in their judicial capacity<\/li>\n<li>DPO is required to be appointed where core activities of controller or processer which require (on the basis of nature, scope and purposes of processing) regular and systematic monitoring of data subjects on a large scale<\/li>\n<li>DPO is required to be appointed where core activities of controller or processer consist of processing of large scale of special categories of personal data.<\/li>\n<\/ul>\n<p><strong>Responsibilities of DPO<\/strong><\/p>\n<p>The responsibilities of DPO, among others, include:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Monitoring the compliance of controller or processer within the applicable legal framework<\/li>\n<li>Informing and advising the controller, processer and their respective employees (who carry out personal data processing) about their obligations under the applicable legal framework<\/li>\n<li>Acting as contact point for the concerned regulator<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no requirement for employee training in any of the laws being discussed here.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law requires that controller is to provide following information to data subject prior to processing of personal data:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Purpose of processing<\/li>\n<li>Target sectors or enterprises with whom personal data is shared inside or outside of UAE<\/li>\n<li>Safeguards adopted in relation to transfer of personal data outside of UAE<\/li>\n<\/ul>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>There is a requirement to provide information to data subject when (i) personal data is obtained from the data subject and when (ii) personal data has not been obtained from the data subject. The information required to be provided to data subject, among others, include:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Identity and contact details of controller<\/li>\n<li>Contact details of data protection officer (where applicable)<\/li>\n<li>Purpose and lawful basis of processing<\/li>\n<li>Legitimate interest of controller (where applicable)<\/li>\n<li>Categories of personal data that is being processed<\/li>\n<li>Categories of recipients of personal data<\/li>\n<li>Safeguards in case of transfer of personal data to any other jurisdiction or to an international organization<\/li>\n<li>Period for which personal data will be stored<\/li>\n<li>Rights of the data subject<\/li>\n<li>The source from where personal data is obtained (when personal data is not obtained from data subject)<\/li>\n<\/ul>\n<p>The information is to be provided in writing including, where applicable, by electronic means.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction draw any distinction between the responsibility of controllers and the processors of personal data? If so, what are the implications?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is a distinction between controllers and processers as per their given definitions, as explained at question 4.<\/p>\n<p>Both the controllers and processers are required to implement measures in order to protect and secure the personal data. The obligations on the processers stem from the laws and contractual obligations with the controllers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><table style=\"font-size: 10px\" border=\"1\">\n<tbody>\n<tr>\n<td width=\"184\"><strong>The UAE Law<\/strong><\/td>\n<td width=\"184\"><strong>The DIFC Law<\/strong><\/td>\n<td width=\"184\"><strong>The ADGM Regulations<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"184\"><strong>Automated Processing<\/strong>: A processing operation which is performed using an electronic system or programme operating in an automated manner, either in a complete autonomous way without any human intervention or partially under a limited human supervisions and intervention.<\/td>\n<td width=\"184\">Automated Processing is not defined.<\/td>\n<td width=\"184\">Automated Processing is not defined.<\/td>\n<\/tr>\n<tr>\n<td width=\"184\"><strong>Profiling<\/strong>: A form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to the data subject, in particular to analyze or predict aspects concerning his financial condition or performance, health, personal preferences, interest, behavior, location, movements or reliability.<\/td>\n<td width=\"184\">Profiling: The automated processing of personal data to evaluate the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the person&#8217;s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.<\/td>\n<td width=\"184\"><strong>Profiling<\/strong>: Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person&#8217;s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The UAE Law confers on the data subject a \u201cright to stop processing\u201d where personal data is processed for direct marketing purposes including profiling to the extent that profiling is related to such direct marketing.<\/p>\n<p>The DIFC Law provides that a data subject has the right to be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing and that the data subject be expressly offered the right to object for direct marketing. The data subject has the right to object personal data processing for direct marketing purpose including profiling to the extent profiling is related to such direct marketing.<\/p>\n<p>The ADGM Regulations carries the same provisions, as in DIFC Law, regarding direct marketing. The ADGM Regulations, in addition, provides that when a data subject objects to direct marketing then personal data must not be processed for direct marketing purpose.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on targeted advertising and\/or behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As per the ADGM Regulations and DIFC Law if the personal data is being processed for the purpose of direct marketing, the data subject has the right to object to such processing including the profiling.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting the sale of personal data. How is the term \u201csale\u201d or such related terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The sale of personal information is not addressed in the UAE Law, the DIFC Law and the ADGM Regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting telephone calls, text messaging, email communication, or direct marketing. How are these terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Telecommunications and Digital Government Regulatory Authority (TDRA) has framed \u201cRegulatory Policy for Spam Electronic Communications\u201d (the Policy). The Policy requires that licensees (of TDRA) are to put all practical measures in place to minimize the transmission of spam having a UAE Link across their telecommunication networks. The Policy further states that licensees shall not sell, supply, use, or knowingly allow access or right to use any tools, software, hardware or mechanisms that facilitate address harvesting and generation of electronic addresses. A few important terms defined by the Policy are as follows:<\/p>\n<p>\u201c<strong>Address-Harvesting<\/strong>\u201d means the collecting, capturing, and compiling of an Electronic Address by means of software, tools, technologies or other methods of generating an Electronic Address.<\/p>\n<p>\u201c<strong>Electronic Address<\/strong>\u201d means a number or alphanumeric string by which a Recipient of an Electronic Communication can be identified and contacted on a particular type of Telecommunications Network, such as an electronic mail address, URL, SIP or a telephone number.<\/p>\n<p>\u201c<strong>Electronic Communications<\/strong>\u201d means the communications conveyed by means of a Telecommunications Network to an Electronic Address.<\/p>\n<p>\u201c<strong>Spam<\/strong>\u201d means Marketing Electronic Communications sent to a Recipient without obtaining that Recipient\u2019s Consent.<\/p>\n<p>\u201c<strong>Unsolicited Electronic Communications<\/strong>\u201d means Electronic Communications sent to a Recipient without obtaining that Recipient\u2019s Consent.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Biometric is included within the definition of \u201csensitive personal data\u201d\/ \u201cspecial categories of personal data\u201d and rules as explained at question 7 are applicable in relation thereto.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (\u201cAI\u201d).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The UAE Law and the ADGM Regulations do not have any provisions addressing the AI or machine learning. However, a specific Regulation 10 has been inserted in the DIFC Data Protection Regulations (the Regulations \u2013 the Regulations were in existent under the DIFC Law; Regulation 10 whereof has been inserted in September 2023), addressing personal data processing through Artificial Intelligence, Autonomous and Semi-Autonomous System.<\/p>\n<p>The following definitions given in the Regulations are important to understand the concept:<\/p>\n<ul style=\"padding-left: 0\">\n<li>System or Systems: this shall mean any machine-based system operating in an autonomous or semi-autonomous manner, that can:\n<ol style=\"padding-left: 5\" type=\"a\">\n<li>Process Personal Data for human-defined purposes or purposes that the system itself defines, or both; and<\/li>\n<li>generate output as a result of or on the basis of such Processing.<\/li>\n<\/ol>\n<\/li>\n<li>Deployer is either a system or legal person:\n<ol style=\"padding-left: 5\" type=\"i\">\n<li>under whose authority or on whose direction or for whose benefit the System is operated, or<\/li>\n<li>who receives the benefit of the operation of the System or any output generated by the System<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p>in each case without regard to whether or not the System is operated, supervised or hosted by such person, or such person defines or determines any of the purposes of which Personal Data is Processed by such System.<\/p>\n<ul style=\"padding-left: 0\">\n<li>Operator (acting as a processor) means a Provider that operates or supervises a System on behalf or otherwise for the benefit, and on the direction of a Deployer (acting as a Controller), in each case without regard to whether or not that Provider exercises any control over the Processing of Personal Data by the System.<\/li>\n<li>Provider means a natural or legal person that develops a System, or procures that a System is developed for or on behalf of such person, in each case with a view to providing, commercializing or otherwise making such System available to Operators or Deployers.<\/li>\n<\/ul>\n<p>The Deployer, provider and operator all have to abide by the basic principle of processing as laid down by the Regulations, which are as follows:<\/p>\n<ul style=\"padding-left: 0\">\n<li>the system used for the processing must be unbiased and must be fair just as a controller and processor has to follow the principle of fairness and transparency.<\/li>\n<li>System must treat natural person equally and freely i.e. it must not discriminate on the basis of race, gender or any other factors.<\/li>\n<li>Processing of the personal data through autonomous means such as the system must be transparent, that is it must be easy to explain to the data subject.<\/li>\n<li>System used for the processing must be secure against any expected personal data breaches.<\/li>\n<li>As the processing is carried out by the automated means, however the deployer, operator and provider cannot escape the accountability and must be held accountable and responsible.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law provides that personal data may only be transferred outside the UAE to a jurisdiction which has a law in place covering various aspects as to the protection of personal data (adequate level of protection). The personal data may also be transferred to those countries with whom the UAE has bilateral or multilateral agreements in respect of personal data protection.<\/p>\n<p>In the absence of an adequate protection, under the UAE Law, personal data may be transferred outside the UAE in following cases (subject to the controls to be specified by the executive regulations):<\/p>\n<ul style=\"padding-left: 0\">\n<li>In jurisdictions where data protection law does not exist, on the basis of a contract or agreement binding the establishment (to whom personal data is being transferred) to follow the provisions, measures, controls and conditions of the UAE Law. The said contract or agreement must also specify a supervisory or judicial entity in that foreign country for imposition of appropriate measures against the controller or processor in that foreign country<\/li>\n<li>Expressed consent of the data subject, in such a manner that does not conflict with the public and security interest of the UAE<\/li>\n<li>Transfer is necessary for performing obligations and establishing rights before judicial entities<\/li>\n<li>Transfer is necessary for entering or performance of a contract between the controller and the data subject, or between the controller and a third party for the interests of the data subject<\/li>\n<li>Transfer is necessary for the performance of an act relating to international judicial cooperation<\/li>\n<li>Transfer is necessary for the protection of public interest<\/li>\n<\/ul>\n<p><strong>The DIFC Law<\/strong><\/p>\n<p>The DIFC Law provides that personal data may be transferred abroad on the basis of adequate level of protection as determined by the Commissioner. A list of adequate jurisdictions is issued through DIFC Data Protection Regulations.<\/p>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<p>The ADGM Regulations allows to transfer personal data abroad where the Personal Data Commissioner has decided that the receiving jurisdiction ensures an adequate level of protection.<\/p>\n<p><strong>Transfer on the Basis of Appropriate Safeguards \u2013 The DIFC Law and the ADGM Regulations <\/strong><\/p>\n<p>In the absence of an adequate level of protection, personal data may be transferred abroad on the basis of \u201cappropriate safeguards\u201d. The \u201cappropriate safeguards\u201d include:<\/p>\n<ul style=\"padding-left: 0\">\n<li>A legally binding instrument between the public authorities<\/li>\n<li>Binding corporate rules<\/li>\n<li>Standard data protection clauses<\/li>\n<li>Approved code of conduct<\/li>\n<li>Approved certification mechanism<\/li>\n<\/ul>\n<p><strong>Specific Derogations \u2013 The DIFC Law and the ADGM Regulations<\/strong><\/p>\n<p>In the absence of adequate level of protection and appropriate safeguards the data may be transferred outside in following derogations:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Explicit consent of the data subject<\/li>\n<li>Transfer is necessary for the performance of a contract between data subject and controller<\/li>\n<li>Transfer is necessary for the conclusion or performance of contract between a controller and a third party which is in the interest of data subject<\/li>\n<li>Transfer is necessary for reasons of public interest<\/li>\n<li>Transfer is necessary in accordance with an applicable law<\/li>\n<li>Transfer is necessary for establishment, exercise or defence of a legal claim<\/li>\n<li>Transfer is necessary to protect vital interests of a data subject or of other persons where a data subject is physically or legally incapable of giving consent<\/li>\n<li>Transfer is made in compliance with applicable law and data minimization principles to provide information to the public and open for viewing by the public in general or by a person who can demonstrate a legitimate interest (under DIFC Law only)<\/li>\n<li>Transfer is necessary for compliance with any obligation under applicable law to which controller is subject to or transfer is made at the reasonable request of a regulator, police or other government agency or competent authority (under DIFC Law only)<\/li>\n<li>The transfer is necessary to uphold the legitimate interests of a controller (in international financial markets), subject to international financial standards, except where such interests are overridden by the legitimate interest of the data subject (under DIFC Law only)<\/li>\n<\/ul>\n<p>Transfer is necessary to comply with applicable anti-money laundering or counter terrorist financing obligations applicable to a controller or a processer (under DIFC Law only)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The controller and processor are to put in place and implement appropriate technical and organizational measures and actions to ensure a high security level which is appropriate to the risks associated with the processing. These measures are to be in accordance with the best international standards and practices.<\/p>\n<p><strong>The DIFC Law\/the ADGM Regulations<\/strong><\/p>\n<p>The controllers (and processers also under the DIFC Law) are required to implement appropriate technical and organizational measures to protect the personal data. In addition, the controllers are required to ensure the security of personal data by following the principles of \u201cdata protection by design\u201d and \u201cdata protection by default\u201d.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of  security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>Breach of security: A breach of security and personal data through unauthorized or unlawful access thereto, such as replication, transmission, distribution, exchange, transfer, circulation or processing in such a manner leading to the disclosure or divulgence to third parties, or otherwise the destruction or modification of such data while being stored, transferred and processed.<\/p>\n<p>Upon becoming aware of a data breach that may pose a risk to the privacy, confidentiality, or security of a data subject&#8217;s personal data, the Controller shall immediately notify both the Office and the affected data subject. The specific timeframe for such notification shall be stipulated in the executive regulations of the UAE Law.<\/p>\n<p><strong>The DIFC Law\/the ADGM Regulations<\/strong><\/p>\n<p>Breach of Security: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.<\/p>\n<p>In DIFC law , as soon as the Controller becomes aware of personal data breach that comprises the confidentiality, privacy and security of the personal data, shall notify the personal data breach to the Commissioner. Where the personal data breach is likely to pose high risk to the security of personal data or rights of personal data, the Controller as soon as practicable in circumstances will communicate to the data subject of such breach.<\/p>\n<p>The ADGM Regulations provides that breach notification be made within 72 hours after having become aware of the breach, and in case the notification is not reported within 72 hours then reasons of delay must also be accompanied by the breach notification. such personal data breach must be communicated without under delay.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The individual privacy rights, as below, are exercisable by data subject through submission of a request to data controller:<\/p>\n<p><strong>The UAE Law<\/strong><\/p>\n<table style=\"font-size: 10px\" border=\"1\">\n<tbody>\n<tr>\n<td width=\"198\"><strong>Right<\/strong><\/td>\n<td width=\"354\"><strong>Exceptions<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to access to information<\/td>\n<td width=\"354\"><strong>\u2022<\/strong> The request is not related to personal data being processed or is excessively repeated<\/p>\n<p><strong>\u2022<\/strong> The request is in contravention of the judicial procedures or investigations carried out by the competent entities<\/p>\n<p><strong>\u2022<\/strong> The request has a negative impact on controller\u2019s to protect information security<\/p>\n<p><strong>\u2022<\/strong> The request relates to privacy and confidentiality of personal data of a third party<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to data portability<\/td>\n<td width=\"354\">None<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to rectification or erasure<\/td>\n<td width=\"354\"><strong>\u2022<\/strong> If the request relates to erasure of personal data related to public health with private institutions<\/p>\n<p><strong>\u2022<\/strong> If the request affects investigations, claim or defence of rights and legal actions in respect of controller<\/p>\n<p><strong>\u2022<\/strong> If the request is in conflict with other law to which controller is subject to<\/p>\n<p><strong>\u2022<\/strong> Any other cases to be specified by the Executive Regulations<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to restriction of processing<\/td>\n<td width=\"354\"><strong>\u2022<\/strong> Where processing is restricted to storage of personal data<\/p>\n<p><strong>\u2022<\/strong> Where processing is necessary to initiate or defend in any procedures relating to claim of rights or judicial actions or judicial proceedings<\/p>\n<p><strong>\u2022<\/strong> Where processing is necessary for protection of rights of the third part under any law<\/p>\n<p><strong>\u2022<\/strong> Where processing is necessary for the reasons or protection of public interest<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to stop processing<\/td>\n<td width=\"354\">None<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to object to automated decision making<\/td>\n<td width=\"354\"><strong>\u2022<\/strong> When automated decision making is performed under the terms of contract between data subject and controller<\/p>\n<p><strong>\u2022<\/strong> When automated decision making is necessary under any other law of the UAE<\/p>\n<p><strong>\u2022<\/strong> When data subject has given his consent<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to withdraw consent<\/td>\n<td width=\"354\">None<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>The DIFC Law<\/strong><\/p>\n<table style=\"font-size: 10px\" border=\"1\">\n<tbody>\n<tr>\n<td width=\"198\"><strong>Right<\/strong><\/td>\n<td width=\"354\"><strong>Exceptions<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to withdraw consent<\/td>\n<td width=\"354\">None<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to access, rectification and erasure<\/td>\n<td width=\"354\">In cases where restriction is a necessary and proportionate measure to:<\/p>\n<p><strong>\u2022<\/strong> Avoid obstructing an official or legal inquiry, investigation or procedure<\/p>\n<p><strong>\u2022<\/strong> Avoid prejudicing the prevention, detention, investigation or prosecution of criminal offences or the execution of criminal penalties<\/p>\n<p><strong>\u2022<\/strong> Protect public security<\/p>\n<p><strong>\u2022<\/strong> Protect national security<\/p>\n<p><strong>\u2022<\/strong> Protect the rights of others<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to object processing<\/td>\n<td width=\"354\"><strong>\u2022<\/strong> When at the time of collection of personal data from data subject the controller has explicitly stated that it would not be possible to implement an objection to processing<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to restriction of processing<\/td>\n<td width=\"354\"><strong>\u2022<\/strong> For storage of personal data<\/p>\n<p><strong>\u2022<\/strong> Processing for establishment, exercise or defence of legal claims<\/p>\n<p><strong>\u2022<\/strong> Processing for the protection of rights of another person<\/p>\n<p><strong>\u2022<\/strong> Processing for reasons of substantial public interest<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to data portability<\/td>\n<td width=\"354\"><strong>\u2022<\/strong> When data portability would infringe the rights of any other natural person<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to object to automated decision-making including profiling<\/td>\n<td width=\"354\"><strong>\u2022<\/strong> When decision is necessary for entering into or performance of a contract between data subject and controller<\/p>\n<p><strong>\u2022<\/strong> When decision making is authorized by applicable law to which controller is subject to and which also provides suitable measures to safeguard the rights of data subject<\/p>\n<p><strong>\u2022<\/strong> When decision is based upon explicit consent of data subject<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<table style=\"font-size: 10px\" border=\"1\">\n<tbody>\n<tr>\n<td width=\"198\"><strong>Rights<\/strong><\/td>\n<td width=\"354\"><strong>Restrictions<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right of access<\/td>\n<td width=\"354\"><strong>\u2022<\/strong> Prejudicial to national security, national defence, prevention or detection of crime, apprehension or prosecution of offenders, assessment or collection of a tax or duty or an imposition of similar nature<\/p>\n<p><strong>\u2022<\/strong> Request relates to legal proceedings, obtaining legal advice or establishing, exercising or defending legal rights to the extent to prevent controller from complying with the obligations and rights<\/p>\n<p><strong>\u2022<\/strong> Likely to prejudice the discharge of public functions designed to protect public interests<\/p>\n<p><strong>\u2022<\/strong> Likely to prejudice the proper discharge of public functions designed to secure workers health, safety and welfare etc; or likely to prejudice to regulate preventing, restricting or distorting commercial competition or to regulate undertakings abusing a dominant market position<\/p>\n<p><strong>\u2022<\/strong> Likely to prejudice ADGM ability to comply with international obligations<\/p>\n<p><strong>\u2022<\/strong> Would require disclosure of information which is prohibited by applicable law<\/p>\n<p><strong>\u2022<\/strong> Likely to prejudice audit functions for supervising the quality of public accounting and financial reporting by a public authority<\/p>\n<p><strong>\u2022<\/strong> Likely to prejudice regulatory function of a public authority<\/p>\n<p><strong>\u2022<\/strong> Likely to prejudice judicial appointments, independence and proceedings including an individual or court acting in a judicial capacity<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>A data subject may lodge a complaint with the Data office on the reason of contravention of the provisions of the UAE Law.<\/p>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>A data subject has the right to lodge complaint with the Commissioner\/Commissioner of Data Protection on breach\/contravention of the DIFC Law\/the ADGM Regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The UAE Law does not provide for any concept of injury\/harm, and compensation thereof, in relation to a grievance to a data subject. Whereas the DIFC Law and the ADGM Regulations provide that a data subject, who suffers material or non-material damage as a result of contravention of the applicable law\/regulations, is entitled for a compensation. The claim for seeking compensation is to be brought before the court. The compensation will not limit or affect any fine to be imposed on a controller or a processer for contravention of any provision of the applicable law\/regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The laws are enforced by the Data Office, Commissioner, Commissioner of Data Protection respectively under the UAE Law, the DIFC Law and the ADGM Regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><table style=\"font-size: 10px\" border=\"1\">\n<tbody>\n<tr>\n<td width=\"162\">The UAE Law<\/td>\n<td width=\"390\">The executive regulations to be issued under the UAE Law will specify the penalties\/administrative sanctions to be imposed on contravention of the UAE Law<\/td>\n<\/tr>\n<tr>\n<td width=\"162\">The DIFC Law<\/td>\n<td width=\"390\">Maximum fine upto US$ 100,000<\/td>\n<\/tr>\n<tr>\n<td width=\"162\">The ADGM Regulations<\/td>\n<td width=\"390\">Maximum fine upto US$ 28,000,000<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The laws, discussed here, do not provide any guidelines regarding the calculation of fines or thresholds for the imposition of sanctions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>A complaint is firstly to be filed with the Data Office. Grievances against any decision of the Data Office is to be filed with the Director General of the Data Office against any decision, administrative sanction or action taken by the Data Office. A decision, administrative sanction or action of the Data Office may not be challenged in appeal unless a grievance is filed with the Director General of the Data Office.<\/p>\n<p><strong>The DIFC Law\/the ADGM Regulations<\/strong><\/p>\n<p>A complaint is firstly to be submitted before the Commissioner\/Commissioner of Data Protection. The disputes are heard in appeal before the DIFC Court\/ADGM Courts, respectively.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no identifiable trends regarding enforcement.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide details.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>UAE has Federal Decree- Law. No. (34) of 2021 on Countering Rumors and Cybercrimes (Cybercrime Law), focusing on dealing with the crimes against Information Technology such as hacking, causing harm to Information technology systems, infringement of personal data\u00a0 and Dinformation, creating fake emails, websites etc, Crimes relating to Contend and Spread of Rumors and false News. The Cybercrime law, however, does not address the requirement to implement the specific cyber security risk management measures and doesn\u2019t require the organizations to take such specific measures which would mitigate the cyber crimes and enhance the cybersecurity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed at question No.35.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose information sharing requirements on organisations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed at question No.35.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed at question No.35<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there specific cybersecurity laws \/ regulations for different industries (e.g., finance, healthcare, government)? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed at question No.35<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What impact do international cybersecurity standards have on local laws and regulations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed at question No.35<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose obligations in the context of  cybersecurity incidents? If so, how do such laws define a cybersecurity incident and under what circumstances must a cybersecurity incident be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed at question No.35<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed at question No.35<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed at question No.35<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the Law. No. (34) on Countering Rumors and Cybercrimes, the penalties can be awarded up to 2 million dirhams, whereas imprisonment period also varies from crime to crime.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No such guidelines or rules have been published.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As discussed at question No.35<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no such identifiable trends or regulatory priorities have been identified.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">9675<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/104288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=104288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}