We all value our right to privacy and have certain expectations that our personal data should not be used and shared without adequate protection. This month, Joby Beretta, a Partner at the global law firm Dentons outlines some of the key UAE legal principles that all members companies of the Free Zone should be aware of when dealing with data relating to their customers, suppliers and employees.
Here in the UAE, there is currently no federal law or regulator purely devoted to data protection (i.e. a detailed set of legal rules which aim to control the way data in relation to an identifiable individual is collected, used, processed, transferred…etc.)
Privacy of individuals is however one of the fundamental pillars of the UAE legal system and is enshrined in various legislation including the UAE Constitution, Penal Code, Cyber Crimes Law, Civil Code and the E-Commerce Law. The general principle is that, apart from certain exceptional circumstances, disclosure or misuse of private information without consent can results in fines (which can be up to AED 1M) and imprisonment (of up to 1 year).
The above mentioned data privacy laws apply to all residents, member companies and other stakeholders within the Free Zone community. In addition, there are some additional federal laws and regulations, which cover privacy/data protection matters in certain industry sectors, for instance in relation to credit data, telecommunications and healthcare.
In the absence of a detailed data protection regime, many companies in the UAE are voluntarily opting to comply with international best practice or data protection legislation they are subject to in other jurisdictions. This often includes key data protection principles such as:
Clearly informing individuals what you intend to do with their data;
Processing data fairly, lawfully and securely;
Designing systems so consent can be obtained from individuals;
Allowing mechanisms for individuals to access or correct information; and
Not transferring data outside of the UAE without consent.
It is best practice to ensure that company employees (especially the marketing and sales teams) are aware of the applicable UAE privacy laws including the potential penalties for non-compliance. This should also include a regular review of terms and conditions and privacy policies for compliance with not only applicable laws but also the current and proposed uses of the data by the business.