In application of the provisions of this Decree by Law, the following words and phrases shall have the meanings assigned to each of them, unless the context otherwise requires:

State : The United Arab Emirates

Office : The UAE Data Bureau established under the aforementioned Federal Decree by Law No. (44) of 2021

Data : An organized or unorganized set of data, facts, concepts, instructions, observations or measurements in the form of numbers, letters, words, symbols, images, videos, signs, sounds, maps or any other form. It is interpreted, exchanged or processed by individuals or computers. It includes information wherever it
appears herein.

Personal Data : Any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data, through the use of identification elements such as his/her name, voice, image, identification number, his/her electronic identifier, his/her geographical location, or by one or more physical, physiological, economic, cultural or social characteristics. It includes Sensitive Personal Data and Biometric Data

Sensitive Personal Data: Any data which directly or indirectly reveals a natural person’s family, ethnic origin, political or philosophical opinions, religious beliefs, criminal record, biometric data, or any data relating to such person’s health and physical, psychological, mental, genetic or sexual condition, including information related to the provision of healthcare services to him/her which reveals his/her health status 

Biometric Data : Personal Data resulting from processing using a specific technology related to the physical, physiological or behavioral characteristics of the Data Subject, which allows the identification or confirmation of the unique identification of the Data Subject, such as facial images or fingerprints

Data Subject : A Natural Person who is the subject of Personal Data

Establishment : Any individual company or establishment located inside or outside the State, including companies wholly owned by the federal or the local government, or in which they are shareholders

Controller : An establishment or natural person that has Personal Data, and by virtue of its activity, determines whether individually or jointly with other persons or establishments, the method and criteria for processing such Personal Data and the purpose of processing it

Processor : An establishment or Natural Person that processes Personal Data on behalf of the Controller. It processes it under their supervision and in accordance with their instructions

Data Protection Officer : Any Natural or Legal Person appointed by the Controller or Processor, that undertakes the tasks of ascertaining the extent to which the entity to which it belongs complies with the controls, requirements, procedures and rules for processing Personal Data Protection stipulated herein. It also ensures the integrity of systems and procedures in order to achieve compliance with provisions of the Decree by Law

Processing : Any operation or set of operations performed on Personal Data using any electronic means, including processing and other means. This processing includes collecting, storing, recording, organizing, adapting, modifying, circulating, altering, retrieving, exchanging, sharing, using, characterizing, disclosing Personal Data by broadcasting, transmitting, distributing, making available, coordinating, merging, restricting, blocking, erasing or destroying it or creating forms thereof

Automated Processing : Processing which is carried out using an electronic program or system which operates in an automated and automatic manner either completely independently without any human intervention or partially with limited human supervision and intervention

Personal Data Security : A set of technical and organizational measures, procedures and processes specified in accordance with provisions of this Decree by Law which maintain the protection of privacy, confidentiality, integrity and availability of Personal Data

Pseudonymisation : Processing performed on Personal Data in such a way which, after the completion of processing, makes it not possible to associate and attribute such data to the Data Subject without the use of additional information, provided that such additional information is kept independently and securely. In accordance with the technical and organizational measures and procedures specified under provisions of this Decree by Law, it shall ensure that Personal Data is not linked to a specific natural person or that he/she can be identified by using it

Anonymization : Processing which is performed on Personal Data in a way which leads to the anonymity of the Data Subject, not linking and attributing such data to him/her and the inability to identify him/her in any way whatsoever

Data Breach : Breaching information security and Personal Data through illegal or unauthorized access. This includes copying, sending, distributing, exchanging, transferring, circulating or processing it in a way which leads to disclosure of such data to third parties, or destroying or modifying it during storage, transfer and processing

Profiling : A form of automated processing which involves the use of Personal Data to assess certain personality aspects associated with the Data Subject, including analyzing or predicting aspects related to his/her financial performance or condition, health, personal
preferences, interests, behavior, location, movements or reliability

Cross-Border Processing: Dissemination, use, display, transmission, reception, retrieval, sharing or processing of Personal Data outside the State

Consent : The consent whereby the Data Subject authorizes a third party to process his/her Personal Data, provided that this consent indicates, in a specific, clear and unambiguous manner, that he/she accepts the processing of his/her Personal Data through a clear positive statement or action