{"id":139384,"date":"2026-04-22T09:25:41","date_gmt":"2026-04-22T09:25:41","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=139384"},"modified":"2026-04-22T09:50:21","modified_gmt":"2026-04-22T09:50:21","slug":"uae-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/uae-data-protection-cybersecurity\/","title":{"rendered":"United Arab Emirates: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-139384","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-uae"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Bizilance Legal Consultants<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/04\/Logo-Bizilance-Legal-Consulatnts-UAE.jpeg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Bizilance Legal Consultants<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2022\/04\/Logo-Bizilance-Legal-Consulatnts-UAE.jpeg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in United Arab Emirates<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The United Arab Emirates has the following regulatory framework concerning personal data protection:<\/p>\n<p><strong>Federal Decree Law No. 45 of 2021<\/strong> on Personal Data Protection (the UAE Law). The UAE Law is applicable al across the UAE except for a few specified sectors and the free zones. The UAE Law is regulated by the UAE Data Office (the Data Office). The UAE Law is not applicable to following:<\/p>\n<ul>\n<li>Governmental data<\/li>\n<li>Governmental authorities which control and process personal data<\/li>\n<li>Security and judicial authorities<\/li>\n<li>Banking and credit personal data<\/li>\n<li>Companies and organizations incorporated in free zones and governed by special personal data protection legislation<\/li>\n<\/ul>\n<p><strong>Data Protection Law 2020<\/strong> of the Dubai International Financial Center (the DIFC Law). The DIFC Law is applicable in DIFC. The DIFC Law is regulated by the Commissioner (the Commissioner).<\/p>\n<p><strong>Data Protection Regulations 2021<\/strong> of the Abu Dhabi Global Market (the ADGM Regulations). The ADGM Regulations are applicable in ADGM. The Commissioner of Data Protection (the Commissioner of Data Protection) is responsible to regulate the ADGM Regulations.<\/p>\n<p><strong>Federal Decree Law No (26) of 2025 Regarding Child Digital Safety (Child Digital Safety Law) \u00a0<\/strong>aims to regulate the Child Digital safety , to provide access to the safe digital content.<\/p>\n<p>Sectoral specific regime concerning personal data protection is as follows:<\/p>\n<ul>\n<li>Federal Law No. 6 of 2025 regarding the Central Bank, Financial Institutions and Activities and Insurance Business, governs data protection of banks\u2019 customers<\/li>\n<li>Federal Law No. 3 of 2003 (concerning telecommunication) governs data protection of telecom consumers<\/li>\n<li>Federal Law No. 2 of 2019 (concerning use of Information and Communication Technology in health fields) governs the confidentiality of patient\u2019s information<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The executive regulations to the UAE Federal Law have not been issued. The UAE Law will be implemented within a period of six months following the issuance of executive regulations. It is expected that said executive regulations will be issued in 2026.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The UAE is actively promulgating different laws to regulate the different aspects of the personal data privacy such as the federal law no 26 of 2025 regarding child digital safety (Child Digital Safety Law), which is imposing strict content filtering for the children and bars the processing of the personal data of the children under the age of 13, unless some conditions are met, it is expected that more such laws can be legislated in 2026.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DIFC Law requires that a controller or processer shall register with the Commissioner.<\/p>\n<p>The ADGM Regulations requires a controller to pay a data protection fee and notify (to the Commissioner of Data Protection) its name, address and the date it commenced processing personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>UAE Law;<\/strong><\/p>\n<p>Personal Data: Any data relating to an identified natural person, or a natural person who can be identified, directly or indirectly, through the linking of data, by reference to an identifier such as his name, voice, picture, identification number, electronic identifier, geographical location, or one or more physical, physiological, cultural or social characteristics. Personal data includes sensitive personal data and biometric data.<\/p>\n<p><strong>DIFC LAW:<\/strong><\/p>\n<p>Personal Data: Any information referring to an identified or Identifiable Natural Person.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>UAE LAW:<\/p>\n<p>Sensitive Personal Data: Any information that directly or indirectly reveals a person\u2019s race, ethnicity, political or philosophical views, religious beliefs, criminal record, biometric data, or any data related to such person\u2019s health such as his physical, psychological, mental, corporal, genetic or sexual state, including any information related to such person\u2019s provision of healthcare services that reveal his health condition.<\/p>\n<p>DIFC LAW:<\/p>\n<p>Special Categories of Personal Data: Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.<\/p>\n<p>ADGM Regulations:<br \/>\nSpecial Categories of Personal Data: (a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;<\/p>\n<p>(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person&#8217;s sex life or sexual orientation; and<br \/>\n(c) Personal Data relating to criminal convictions and offences or related security measures.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law requires that processing of personal data is to take place in accordance with the following rules:<\/p>\n<ul>\n<li>Fairness, transparency and lawfulness<\/li>\n<li>Purpose specification<\/li>\n<li>Adequacy and relevance<\/li>\n<li>Correct, accurate and update<\/li>\n<li>Ensure to erase or rectify the incorrect data<\/li>\n<li>Safety and security<\/li>\n<li>Not to store the personal data after the end of the purpose (may be maintained if identity of data subject is anonymized)<\/li>\n<li>Any other controls as may be specified by the executive regulations<\/li>\n<\/ul>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>The lawful basis under above are:<\/p>\n<ul>\n<li>Consent<\/li>\n<li>Necessity for the performance of a contract to which data subject is a party<\/li>\n<li>Necessity for compliance with applicable law to which controller is subject to<\/li>\n<li>Necessity to protect vital interests of a data subject or of another natural person<\/li>\n<li>Necessity for the performance of a task carried out by DIFC body\/public authority in the interest of ADGM, or in exercise of powers and functions of DIFC body\/ADGM\/Financial Services Regulatory Authority\/ADGM Courts\/Registration Authority, or exercise of powers and functions vested by DIFC body by a third party to whom personal data is disclosed by the DIFC body<\/li>\n<\/ul>\n<p>Necessity for the purposes of legitimate interests pursued by a controller or by a third party, except where such interests are overridden by the interests or rights of a data subject<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law provides that processing of personal data without consent is prohibited. Following are the exceptions where processing may be carried out without consent:<\/p>\n<ul>\n<li>processing is necessary for the reasons of public interest<\/li>\n<li>processing relates to personal data made publicly available by data subject<\/li>\n<li>processing is necessary to initiate or defend proceedings related to claim of rights and legal actions or in relation to judicial or security procedures<\/li>\n<li>processing is necessary for the purposes of occupational or preventive medicine to assess working capacity of employee, medical diagnosis, etc, in accordance with the applicable law<\/li>\n<li>processing is necessary for protection of public health in accordance with the applicable law<\/li>\n<li>processing is necessary for archiving, scientific, historical or statistical studies in accordance with the applicable law<\/li>\n<li>processing is necessary to protect the interests of data subject<\/li>\n<li>processing is necessary for performance of obligations and establish rights related to recruitment or social security in accordance with the applicable law<\/li>\n<li>processing is necessary for performance of a contract to which the data subject is a party or for taking actions on the request of the data subject for the purpose of concluding, amending or terminating a contract<\/li>\n<li>processing is necessary for compliance with obligations prescribed under laws of the UAE to which the controller is subjected to<\/li>\n<li>situations specified by the executive regulations.<\/li>\n<\/ul>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>Consent is one of the \u201clawful\u201d bases to process the personal data under above.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law states that a personal data protection impact assessment is a necessity where processing involves large scale of sensitive personal data.<\/p>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>The DIFC Law and the ADGM Regulations permit processing of special categories of personal data in certain specified situations, including:<\/p>\n<ul>\n<li>Explicit consent of the data subject<\/li>\n<li>Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or data subject concerning employment<\/li>\n<li>Processing is necessary to protect vital interests of data subject<\/li>\n<li>Processing by a foundation, association or any other non-profit-seeking body in the course of its legitimate activities<\/li>\n<li>Processing related to personal data that has been made public by the data subject<\/li>\n<li>Processing is necessary for the establishment, exercise or defence of legal claims<\/li>\n<li>Processing is necessary for compliance with a specific requirement of a law applicable to the controller<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DIFC framework permits automated decision-making in limited circumstances, including where it is necessary for the performance of a contract, required by law, or based on the data subject\u2019s explicit consent. However, it categorically prohibits the use of automated decision-making in relation to the personal data of minors under all circumstances.<\/p>\n<p>Federal Child Safety Law:<\/p>\n<p>As per the Federal Child safety law, the digital platforms are restricted from processing of personal data of the children under the age of 13 , however, personal data of children under the age of 13 can be processed if the following conditions are met;<\/p>\n<ul>\n<li>If an explicit, documented and verifiable consent from the child care giver is being obtained,<\/li>\n<li>When a easy consent management system is provided to the parents for easily revoking of the consent provided,<\/li>\n<li>Disclosing the data privacy policy and the purpose of data collection in a clear and comprehensible manner to the child and their caregiver.<\/li>\n<\/ul>\n<ul>\n<li>Restricting access to personal data to authorized persons only within the digital platform and to the minimum extent necessary for service provision.<\/li>\n<\/ul>\n<ul>\n<li>Refraining from using the data for commercial purposes, for the purpose of providing<\/li>\n<\/ul>\n<p>targeted electronic advertising to the child, or for tracking the activity of Children\u2019s personal accounts for purposes exceeding the originally authorized purpose.<\/p>\n<ul>\n<li>Any other controls determined by Cabinet Resolutions issued in implementation of this Decree by Law.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law is not applicable on data subject who processes data relating to him for personal purposes. The Data Office has the powers to exempt certain establishments which do not process a large scale of personal data from any or all requirements of the UAE Law, in accordance with the standards and controls to be specified by the Executive Regulations.<\/p>\n<p><strong>The DIFC Law<\/strong><\/p>\n<p>The DIFC Law is not applicable to the processing of personal data by natural persons in the course of purely personal or household activity that has no connection to a commercial purpose. The DIFC Board of Directors may make regulations to exempt controllers from compliance with the DIFC Law (or any part thereof). Certain provisions of the DIFC Law are not applicable on DIFC bodies. DIFC bodies are DIFC Authority, Dubai Financial Services Authority, DIFC courts and any other person, body, office, registry or tribunal established under DIFC laws or established upon approval of the President of the DIFC that is not revoked by the DIFC Law of by any other DIFC law.<\/p>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<p>The ADGM Regulations are not applicable to the processing of personal data by a natural person for the purposes of purely personal or household activity. In addition, the ADGM Regulations are not applicable on the processing of personal data by public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties including safeguarding against and the prevention of threats to national security.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Controllers are required to undertake a \u201cdata protection impact assessment\u201d before carrying out processing which is likely to result in a high risk to the rights of natural persons. In addition, the UAE Law places a mandatory requirement for a data protection impact assessment in the following cases:<\/p>\n<ul>\n<li>Where processing involves systematic and extensive evaluation of personal aspects of the data subject which is based on automated processing (including profiling) having legal effects to significantly impact the data subject<\/li>\n<li>Where processing involves large scale of sensitive personal data.<\/li>\n<\/ul>\n<p>The data protection impact assessment is carried out either internally or on an outsourced basis.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No such codes of practice are in field.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The controller is to maintain the following records:<\/p>\n<ul>\n<li>Details of controller and the data protection officer<\/li>\n<li>Description of categories of personal data<\/li>\n<li>Data related to persons authorized to access personal data<\/li>\n<li>Timeframe, restrictions and scope of processing<\/li>\n<li>Erasure, modification or processing mechanism<\/li>\n<li>Purpose of the processing<\/li>\n<li>Data related to cross-border transfer and its processing<\/li>\n<li>Description of technical and organizational actions related to information security and processing<\/li>\n<\/ul>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>Following written records are required to be kept:<\/p>\n<ul>\n<li>Name and contact details of controller, joint controller (where applicable) and the data protection officer<\/li>\n<li>Purpose of processing<\/li>\n<li>Description of categories of data subjects and of personal data<\/li>\n<li>Categories of recipients to whom personal data has been or will be disclosed<\/li>\n<li>Identification of location (third country) or international organization to which personal data is transferred including documents in relation to suitable safeguards<\/li>\n<li>Time limits for erasure of the different categories of personal data (where possible)<\/li>\n<li>General description of the technical and organizational measures for security of personal data (where possible)<\/li>\n<\/ul>\n<p>The businesses typically meet these requirements by way of documented policies and procedures.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The UAE Law requires that personal data must not be stored after the completion of the purpose of its processing. The UAE Law further provides that personal data may be maintained (after completion of purpose) in case identity of the data subject is concealed through anonymization.<\/p>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>Controller and processer are required to have policy and process to securely and permanently delete, anonymize, pseudonymize, encrypt the personal data or to put it beyond further use when grounds for data retention no longer apply.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>There is no mandatory requirement to consult the regulator under the UAE Law.<\/p>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>A controller is required to consult\/notify the Commissioner\/Commissioner of Data Protection where data protection impact assessment indicates that processing would have high risks to the rights of the data subject.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The requirements for appointment of a data protection officer (DPO) are as under.<\/p>\n<p><strong>The UAE Law <\/strong><\/p>\n<ul>\n<li>DPO is required to be appointed when the processing is likely to result in a high risk to the privacy and confidentiality of personal data, due to adoption of new technologies or due to amount of data<\/li>\n<li>DPO is required to be appointed where the processing involves a systematic and overall assessment of sensitive personal data, including profiling and automated processing<\/li>\n<\/ul>\n<p>The executive regulations will specify the kinds of technologies and standards of determination related to the above.<\/p>\n<p><strong>The DIFC Law<\/strong><\/p>\n<ul>\n<li>DPO is required to be appointed by the Commissioner, DIFC Authority and by Dubai Financial Services Authority<\/li>\n<li>DPO is required to be appointed by a controller or processer performing high-risk activities on a systematic or regular basis<\/li>\n<li>A controller or processer (other than above) may be required to designate a DPO by the Commissioner<\/li>\n<\/ul>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<ul>\n<li>DPO is required to be appointed where processing is carried out by a public authority except for courts acting in their judicial capacity<\/li>\n<li>DPO is required to be appointed where core activities of controller or processer which require (on the basis of nature, scope and purposes of processing) regular and systematic monitoring of data subjects on a large scale<\/li>\n<li>DPO is required to be appointed where core activities of controller or processer consist of processing of large scale of special categories of personal data.<\/li>\n<\/ul>\n<p><strong>Responsibilities of DPO<\/strong><\/p>\n<p>The responsibilities of DPO, among others, include:<\/p>\n<ul>\n<li>Monitoring the compliance of controller or processer within the applicable legal framework<\/li>\n<li>Informing and advising the controller, processer and their respective employees (who carry out personal data processing) about their obligations under the applicable legal framework<\/li>\n<li>Acting as contact point for the concerned regulator<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no requirement for employee training in any of the laws being discussed here.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law requires that controller is to provide following information to data subject prior to processing of personal data:<\/p>\n<ul>\n<li>Purpose of processing<\/li>\n<li>Target sectors or enterprises with whom personal data is shared inside or outside of UAE<\/li>\n<li>Safeguards adopted in relation to transfer of personal data outside of UAE<\/li>\n<\/ul>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>There is a requirement to provide information to data subject when (i) personal data is obtained from the data subject and when (ii) personal data has not been obtained from the data subject. The information required to be provided to data subject, among others, include:<\/p>\n<ul>\n<li>Identity and contact details of controller<\/li>\n<li>Contact details of data protection officer (where applicable)<\/li>\n<li>Purpose and lawful basis of processing<\/li>\n<li>Legitimate interest of controller (where applicable)<\/li>\n<li>Categories of personal data that is being processed<\/li>\n<li>Categories of recipients of personal data<\/li>\n<li>Safeguards in case of transfer of personal data to any other jurisdiction or to an international organization<\/li>\n<li>Period for which personal data will be stored<\/li>\n<li>Rights of the data subject<\/li>\n<li>The source from where personal data is obtained (when personal data is not obtained from data subject)<\/li>\n<\/ul>\n<p>The information is to be provided in writing including, where applicable, by electronic means.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>Controller<\/strong>: The establishment or the natural person who is in the possession of the personal data and who by virtue of its activity alone or jointly with others determines the means, methods, standards and purposes of the processing of personal data.<\/p>\n<p><strong>Processer<\/strong>: An establishment or a natural person who processes the personal data on behalf of the controller and under his supervision and instructions.<\/p>\n<p>Both the controllers and processers are required to implement measures in order to protect and secure the personal data. The obligations on the processers stem from the laws and contractual obligations with the controllers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"184\"><strong>The UAE Law<\/strong><\/td>\n<td width=\"184\"><strong>The DIFC Law<\/strong><\/td>\n<td width=\"184\"><strong>The ADGM Regulations<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"184\"><strong>Automated Processing<\/strong>: A processing operation which is performed using an electronic system or programme operating in an automated manner, either in a complete autonomous way without any human intervention or partially under a limited human supervisions and intervention.<\/td>\n<td width=\"184\">Automated Processing is not defined.<\/td>\n<td width=\"184\">Automated Processing is not defined.<\/td>\n<\/tr>\n<tr>\n<td width=\"184\"><strong>Profiling<\/strong>: A form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to the data subject, in particular to analyze or predict aspects concerning his financial condition or performance, health, personal preferences, interest, behavior, location, movements or reliability.<\/td>\n<td width=\"184\">Profiling: The automated processing of personal data to evaluate the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the person&#8217;s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.<\/td>\n<td width=\"184\"><strong>Profiling<\/strong>: Means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person&#8217;s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>The UAE Law confers on the data subject a \u201cright to stop processing\u201d where personal data is processed for direct marketing purposes including profiling to the extent that profiling is related to such direct marketing.<\/p>\n<p>The DIFC Law provides that a data subject has the right to be informed before personal data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing and that the data subject be expressly offered the right to object for direct marketing. The data subject has the right to object personal data processing for direct marketing purpose including profiling to the extent profiling is related to such direct marketing.<\/p>\n<p>The ADGM Regulations carries the same provisions, as in DIFC Law, regarding direct marketing. The ADGM Regulations, in addition, provides that when a data subject objects to direct marketing then personal data must not be processed for direct marketing purpose.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The UAE does not have specific standalone rules governing cookies, pixels, or online tracking technologies. However, such activities are regulated under general data protection laws, which require transparency, lawful basis (often consent), and purpose limitation when personal data is involved.<\/p>\n<p>The cross-contextual behavioral advertising is not directly addressed in the laws, except and so far within the context of the right of automated decision making and profiling as discussed above.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The sale of personal information is not addressed in the UAE Law, the DIFC Law and the ADGM Regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Telecommunications and Digital Government Regulatory Authority (TDRA) has framed \u201cRegulatory Policy for Spam Electronic Communications\u201d (the Policy). The Policy requires that licensees (of TDRA) are to put all practical measures in place to minimize the transmission of spam having a UAE Link across their telecommunication networks. The Policy further states that licensees shall not sell, supply, use, or knowingly allow access or right to use any tools, software, hardware or mechanisms that facilitate address harvesting and generation of electronic addresses. A few important terms defined by the Policy are as follows:<\/p>\n<p>\u201cAddress-Harvesting\u201d means the collecting, capturing, and compiling of an Electronic Address by means of software, tools, technologies or other methods of generating an Electronic Address.<\/p>\n<p>\u201cElectronic Address\u201d means a number or alphanumeric string by which a Recipient of an Electronic Communication can be identified and contacted on a particular type of Telecommunications Network, such as an electronic mail address, URL, SIP or a telephone number.<\/p>\n<p>\u201cElectronic Communications\u201d means the communications conveyed by means of a Telecommunications Network to an Electronic Address.<\/p>\n<p>\u201cSpam\u201d means Marketing Electronic Communications sent to a Recipient without obtaining that Recipient\u2019s Consent.<\/p>\n<p>\u201cUnsolicited Electronic Communications\u201d means Electronic Communications sent to a Recipient without obtaining that Recipient\u2019s Consent.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Biometric is included within the definition of \u201csensitive personal data\u201d\/ \u201cspecial categories of personal data\u201d \u00a0which are as follows;<\/p>\n<p>UAE LAW:<\/p>\n<p><strong>Sensitive Personal Data<\/strong>: Any information that directly or indirectly reveals a person\u2019s race, ethnicity, political or philosophical views, religious beliefs, criminal record, biometric data, or any data related to such person\u2019s health such as his physical, psychological, mental, corporal, genetic or sexual state, including any information related to such person\u2019s provision of healthcare services that reveal his health condition.<\/p>\n<p>DIFC LAW:<\/p>\n<p><strong>Special Categories of Personal Data: <\/strong>Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.<\/p>\n<p><strong>ADGM Regulations: <\/strong><\/p>\n<p><strong>Special Categories of Personal Data:<\/strong> (a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;<\/p>\n<p>(b) Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data concerning a natural person&#8217;s sex life or sexual orientation; and<\/p>\n<p>(c) Personal Data relating to criminal convictions and offences or related security measures.<\/p>\n<p><strong>RULES OF PROCESSING:<\/strong><\/p>\n<p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law states that a personal data protection impact assessment is a necessity where processing involves large scale of sensitive personal data.<\/p>\n<p><strong>The DIFC Law\/The ADGM Regulations<\/strong><\/p>\n<p>The DIFC Law and the ADGM Regulations permit processing of special categories of personal data in certain specified situations, including:<\/p>\n<ul>\n<li>Explicit consent of the data subject<\/li>\n<li>Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of the controller or data subject concerning employment<\/li>\n<li>Processing is necessary to protect vital interests of data subject<\/li>\n<li>Processing by a foundation, association or any other non-profit-seeking body in the course of its legitimate activities<\/li>\n<li>Processing related to personal data that has been made public by the data subject<\/li>\n<li>Processing is necessary for the establishment, exercise or defence of legal claims<\/li>\n<\/ul>\n<p>Processing is necessary for compliance with a specific requirement of a law applicable to the controller.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The UAE Law and the ADGM Regulations do not have any provisions addressing the AI or machine learning. However, a specific Regulation 10 has been inserted in the DIFC Data Protection Regulations (the Regulations \u2013 the Regulations were in existent under the DIFC Law; Regulation 10 whereof has been inserted in September 2023), addressing personal data processing through Artificial Intelligence, Autonomous and Semi-Autonomous System.<\/p>\n<p>The following definitions given in the Regulations are important to understand the concept:<\/p>\n<ul>\n<li>System or Systems: this shall mean any machine-based system operating in an autonomous or semi-autonomous manner, that can:<\/li>\n<\/ul>\n<p>A. Process Personal Data for human-defined purposes or purposes that the system itself defines, or both; and<\/p>\n<p>B. generate output as a result of or on the basis of such Processing.<\/p>\n<ul>\n<li>Deployer is either a system or legal person:<\/li>\n<\/ul>\n<p>(i) under whose authority or on whose direction or for whose benefit the System is operated, or<\/p>\n<p>(ii) who receives the benefit of the operation of the System or any output generated by the System<\/p>\n<p>in each case without regard to whether or not the System is operated, supervised or hosted by such person, or such person defines or determines any of the purposes of which Personal Data is Processed by such System.<\/p>\n<ul>\n<li>Operator (acting as a processor) means a Provider that operates or supervises a System on behalf or otherwise for the benefit, and on the direction of a Deployer (acting as a Controller), in each case without regard to whether or not that Provider exercises any control over the Processing of Personal Data by the System.<\/li>\n<li>Provider means a natural or legal person that develops a System, or procures that a System is developed for or on behalf of such person, in each case with a view to providing, commercializing or otherwise making such System available to Operators or Deployers.<\/li>\n<\/ul>\n<p>The Deployer, provider and operator all have to abide by the basic principle of processing as laid down by the Regulations, which are as follows:<\/p>\n<ul>\n<li>the system used for the processing must be unbiased and must be fair just as a controller and processor has to follow the principle of fairness and transparency.<\/li>\n<li>System must treat natural person equally and freely i.e. it must not discriminate on the basis of race, gender or any other factors.<\/li>\n<li>Processing of the personal data through autonomous means such as the system must be transparent, that is it must be easy to explain to the data subject.<\/li>\n<li>System used for the processing must be secure against any expected personal data breaches.<\/li>\n<li>As the processing is carried out by the automated means, however the deployer, operator and provider cannot escape the accountability and must be held accountable and responsible.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no such requirement.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The UAE Law provides that personal data may only be transferred outside the UAE to a jurisdiction which has a law in place covering various aspects as to the protection of personal data (adequate level of protection). The personal data may also be transferred to those countries with whom the UAE has bilateral or multilateral agreements in respect of personal data protection.<\/p>\n<p>In the absence of an adequate protection, under the UAE Law, personal data may be transferred outside the UAE in following cases (subject to the controls to be specified by the executive regulations):<\/p>\n<ul>\n<li>In jurisdictions where data protection law does not exist, on the basis of a contract or agreement binding the establishment (to whom personal data is being transferred) to follow the provisions, measures, controls and conditions of the UAE Law. The said contract or agreement must also specify a supervisory or judicial entity in that foreign country for imposition of appropriate measures against the controller or processor in that foreign country<\/li>\n<li>Expressed consent of the data subject, in such a manner that does not conflict with the public and security interest of the UAE<\/li>\n<li>Transfer is necessary for performing obligations and establishing rights before judicial entities<\/li>\n<li>Transfer is necessary for entering or performance of a contract between the controller and the data subject, or between the controller and a third party for the interests of the data subject<\/li>\n<li>Transfer is necessary for the performance of an act relating to international judicial cooperation<\/li>\n<li>Transfer is necessary for the protection of public interest<\/li>\n<\/ul>\n<p><strong>The DIFC Law<\/strong><\/p>\n<p>The DIFC Law provides that personal data may be transferred abroad on the basis of adequate level of protection as determined by the Commissioner. A list of adequate jurisdictions is issued through DIFC Data Protection Regulations.<\/p>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<p>The ADGM Regulations allows to transfer personal data abroad where the Personal Data Commissioner has decided that the receiving jurisdiction ensures an adequate level of protection.<\/p>\n<p><strong>Transfer on the Basis of Appropriate Safeguards \u2013 The DIFC Law and the ADGM Regulations <\/strong><\/p>\n<p>In the absence of an adequate level of protection, personal data may be transferred abroad on the basis of \u201cappropriate safeguards\u201d. The \u201cappropriate safeguards\u201d include:<\/p>\n<ul>\n<li>A legally binding instrument between the public authorities<\/li>\n<li>Binding corporate rules<\/li>\n<li>Standard data protection clauses<\/li>\n<li>Approved code of conduct<\/li>\n<li>Approved certification mechanism<\/li>\n<\/ul>\n<p><strong>Specific Derogations \u2013 The DIFC Law and the ADGM Regulations<\/strong><\/p>\n<p>In the absence of adequate level of protection and appropriate safeguards the data may be transferred outside in following derogations:<\/p>\n<ul>\n<li>Explicit consent of the data subject<\/li>\n<li>Transfer is necessary for the performance of a contract between data subject and controller<\/li>\n<li>Transfer is necessary for the conclusion or performance of contract between a controller and a third party which is in the interest of data subject<\/li>\n<li>Transfer is necessary for reasons of public interest<\/li>\n<li>Transfer is necessary in accordance with an applicable law<\/li>\n<li>Transfer is necessary for establishment, exercise or defence of a legal claim<\/li>\n<li>Transfer is necessary to protect vital interests of a data subject or of other persons where a data subject is physically or legally incapable of giving consent<\/li>\n<li>Transfer is made in compliance with applicable law and data minimisation principles to provide information to the public and open for viewing by the public in general or by a person who can demonstrate a legitimate interest (under DIFC Law only)<\/li>\n<li>Transfer is necessary for compliance with any obligation under applicable law to which controller is subject to or transfer is made at the reasonable request of a regulator, police or other government agency or competent authority (under DIFC Law only)<\/li>\n<li>The transfer is necessary to uphold the legitimate interests of a controller (in international financial markets), subject to international financial standards, except where such interests are overridden by the legitimate interest of the data subject (under DIFC Law only)<\/li>\n<\/ul>\n<p>Transfer is necessary to comply with applicable anti-money laundering or counter terrorist financing obligations applicable to a controller or a processer (under DIFC Law only)<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>The controller and processor are to put in place and implement appropriate technical and organizational measures and actions to ensure a high security level which is appropriate to the risks associated with the processing. These measures are to be in accordance with the best international standards and practices.<\/p>\n<p><strong>The DIFC Law\/the ADGM Regulations<\/strong><\/p>\n<p>The controllers (and processers also under the DIFC Law)\u00a0 are required to implement appropriate technical and organizational measures to protect the personal data. In addition, the controllers are required to ensure the security of personal data by following the principles of \u201cdata protection by design\u201d and \u201cdata protection by default\u201d.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The UAE laws establish heightened obligations for sensitive or special categories of personal data. This includes data such as health, biometric, genetic, and children\u2019s information, which must be subject to enhanced safeguards, including stronger security measures, tighter access controls, and, where applicable, explicit consent and additional legal bases for processing. Controllers are also required to undertake more robust risk assessments and implement stricter protections to ensure that such processing remains proportionate, secure, and consistent with elevated confidentiality standards.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The term \u201cdata breach\u201d is defined as follows.<\/p>\n<p><strong>The UAE Law<\/strong><\/p>\n<p>A breach of security and personal data through unauthorized or unlawful access thereto, such as replication, transmission, distribution, exchange, transfer, circulation or processing in such a manner leading to the disclosure or divulgence to third parties, or otherwise the destruction or modification of such data while being stored, transferred and processed.<\/p>\n<p><strong>The DIFC Law\/the ADGM Regulations<\/strong><\/p>\n<p>A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.<\/p>\n<p>The data controller is required to notify a data breach to the Data Office\/Commissioner\/Commissioner of Data Protection when the breach is likely to result in a risk to privacy, confidentiality, security, rights of the data subjects. The processer is to notify, without delay, any such breach to the controller (the UAE Law\/the DIFC Law and the ADGM Regulations).<\/p>\n<p>The UAE Law requires to notify the breach immediately.<\/p>\n<p>The DIFC Law requires to notify the breach as soon as practicable in the circumstances.<\/p>\n<p>The ADGM Regulations provides that breach notification be made within 72 hours after having become aware of the breach, and in case the notification is not reported within 72 hours then reasons of delay must also be accompanied the breach notification.<\/p>\n<p>The breach notification is to contain at least following information:<\/p>\n<ul>\n<li>Description of nature of the breach<\/li>\n<li>Details of the DPO<\/li>\n<li>Likely effects\/consequences of the breach<\/li>\n<li>Description of measures taken or proposed to be taken by the controller to rectify\/remedy the breach and the measures to mitigate its effects<\/li>\n<li>Any requirement of the Data Office (only in case of the UAE Law)<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The individual privacy rights, as below, are exercisable by data subject through submission of a request to data controller:<\/p>\n<p><strong>The UAE Law<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"198\"><strong>Right<\/strong><\/td>\n<td width=\"354\"><strong>Exceptions<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to access to information<\/td>\n<td width=\"354\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The request is not related to personal data being processed or is excessively repeated<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The request is in contravention of the judicial procedures or investigations carried out by the competent entities<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The request has a negative impact on controller\u2019s to protect information security<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The request relates to privacy and confidentiality of personal data of a third party<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to data portability<\/td>\n<td width=\"354\">None<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to rectification or erasure<\/td>\n<td width=\"354\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 If the request relates to erasure of personal data related to public health with private institutions<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 If the request affects investigations, claim or defence of rights and legal actions in respect of controller<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 If the request is in conflict with other law to which controller is subject to<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Any other cases to be specified by the Executive Regulations<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to restriction of processing<\/td>\n<td width=\"354\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Where processing is restricted to storage of personal data<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Where processing is necessary to initiate or defend in any procedures relating to claim of rights or judicial actions or judicial proceedings<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Where processing is necessary for protection of rights of the third part under any law<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Where processing is necessary for the reasons or protection of public interest<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to stop processing<\/td>\n<td width=\"354\">None<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to object to automated decision making<\/td>\n<td width=\"354\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 When automated decision making is performed under the terms of contract between data subject and controller<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 When automated decision making is necessary under any other law of the UAE<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 When data subject has given his consent<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to withdraw consent<\/td>\n<td width=\"354\">None<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><strong>The DIFC Law<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"198\"><strong>Right<\/strong><\/td>\n<td width=\"354\"><strong>Exceptions<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to withdraw consent<\/td>\n<td width=\"354\">None<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to access, rectification and erasure<\/td>\n<td width=\"354\">In cases where restriction is a necessary and proportionate measure to:<\/p>\n<p>&nbsp;<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Avoid obstructing an official or legal inquiry, investigation or procedure<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Avoid prejudicing the prevention, detention, investigation or prosecution of criminal offences or the execution of criminal penalties<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Protect public security<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Protect national security<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Protect the rights of others<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to object processing<\/td>\n<td width=\"354\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 When at the time of collection of personal data from data subject the controller has explicitly stated that it would not be possible to implement an objection to processing<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to restriction of processing<\/td>\n<td width=\"354\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 For storage of personal data<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Processing for establishment, exercise or defence of legal claims<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Processing for the protection of rights of another person<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Processing for reasons of substantial public interest<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to data portability<\/td>\n<td width=\"354\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 When data portability would infringe the rights of any other natural person<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to object to automated decision-making including profiling<\/td>\n<td width=\"354\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 When decision is necessary for entering into or performance of a contract between data subject and controller<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 When decision making is authorized by applicable law to which controller is subject to and which also provides suitable measures to safeguard the rights of data subject<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 When decision is based upon explicit consent of data subject<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><strong>The ADGM Regulations<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"198\"><strong>Rights<\/strong><\/td>\n<td width=\"354\"><strong>Restrictions<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right of access<\/td>\n<td rowspan=\"7\" width=\"354\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Prejudicial to national security, national defence, prevention or detection of crime, apprehension or prosecution of offenders, assessment or collection of a tax or duty or an imposition of similar nature<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Request relates to legal proceedings, obtaining legal advice or establishing, exercising or defending legal rights to the extent to prevent controller from complying with the obligations and rights<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Likely to prejudice the discharge of public functions designed to protect public interests<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Likely to prejudice the proper discharge of public functions designed to secure workers health, safety and welfare etc; or likely to prejudice to regulate preventing, restricting or distorting commercial competition or to regulate undertakings abusing a dominant market position<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Likely to prejudice ADGM ability to comply with international obligations<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Would require disclosure of information which is prohibited by applicable law<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Likely to prejudice audit functions for supervising the quality of public accounting and financial reporting by a public authority<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Likely to prejudice regulatory function of a public authority<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Likely to prejudice judicial appointments, independence and proceedings including an individual or court acting in a judicial capacity<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to rectification<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to erasure<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to restriction of processing<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to data portability<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right to object<\/td>\n<\/tr>\n<tr>\n<td width=\"198\">Right not to subject to automated decision-making including profiling<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 64(A) of the DIFC Data Protection Law provides data subjects with a private right of action, enabling individuals who suffer damage\u2014whether financial loss or non-material harm such as distress\u2014due to a breach of the Law or its Regulations to seek compensation before the DIFC Courts, irrespective of the availability of alternative remedies such as complaints to the Commissioner. Controllers and Processors may be held jointly and severally liable where both are involved in the same processing. A Controller is generally responsible for damage arising from processing, while a Joint Controller is liable only where it has breached a specific legal obligation. A Processor is liable where it fails to comply with its statutory duties or acts beyond the Controller\u2019s lawful instructions. Liability may be avoided if the party demonstrates that it was not responsible for the event giving rise to the damage.<\/p>\n<p>The DIFC Data Protection Law and the ADGM Data Protection Regulations allow for collective redress mechanisms akin to class actions, enabling multiple data subjects affected by the same or similar contravention to bring a joint complaint or pursue claims collectively.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The UAE Law does not provide for any concept of injury\/harm, and compensation thereof, in relation to a grievance to a data subject. Whereas the DIFC Law and the ADGM Regulations provide that a data subject, who suffers material or non-material damage as a result of contravention of the applicable law\/regulations, is entitled for a compensation. The claim for seeking compensation is to be brought before the court. The compensation will not limit or affect any fine to be imposed on a controller or a processer for contravention of any provision of the applicable law\/regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The laws are enforced by the Data Office, Commissioner, Commissioner of Data Protection respectively under the UAE Law, the DIFC Law and the ADGM Regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><table>\n<tbody>\n<tr>\n<td width=\"162\">The UAE Law<\/td>\n<td width=\"390\">The executive regulations to be issued under the UAE Law will specify the penalties\/administrative sanctions to be imposed on contravention of the UAE Law<\/td>\n<\/tr>\n<tr>\n<td width=\"162\">The DIFC Law<\/td>\n<td width=\"390\">Maximum fine upto US$ 100,000<\/td>\n<\/tr>\n<tr>\n<td width=\"162\">The ADGM Regulations<\/td>\n<td width=\"390\">Maximum fine upto US$ 28,000,000<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>The UAE Law<\/strong><\/p>\n<p>A complaint is firstly to be filed with the Data Office. Grievances against any decision of the Data Office is to be filed with the Director General of the Data Office against any decision, administrative sanction or action taken by the Data Office. A decision, administrative sanction or action of the Data Office may not be challenged in appeal unless a grievance is filed with the Director General of the Data Office.<\/p>\n<p><strong>The DIFC Law\/the ADGM Regulations<\/strong><\/p>\n<p>A complaint is firstly to be submitted before the Commissioner\/Commissioner of Data Protection. The disputes are heard in appeal before the DIFC Court\/ADGM Courts, respectively.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no such dedicated cyber security law in UAE, however, sectoral guidelines are there for banking and telecom sectors.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In light of above this is not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In light of above this is not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In light of above this is not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In light of above this is not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In light of above this is not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In light of above this is not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In light of above this is not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In light of above this is not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In light of above this is not applicable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">9556<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/139384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=139384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}