Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 11
Roles of Data Protection Officer
- The Data Protection Officer shall ensure the extent of compliance of the Controller or the Processor with the application of provisions of this Decree by Law, its Executive Regulations and instructions issued by the Bureau. The Data Protection Officer shall, in particular,
undertake the following tasks and powers:
a. Verifying the quality and correctness of the procedures in place at the Controller and the Processor.
b. Receiving requests and complaints related to Personal Data in accordance with provisions of this Decree-Law and its Executive Regulations.
c. Providing technical advice on evaluation procedures and periodic examination of personal data protection systems and intrusion prevention systems at the Controller and Processor, documenting the results of such evaluation and providing appropriate recommendations in this regard, including risk assessment procedures.
d. Acting as a link between the Controller or the Processor, as the case may be, and the Bureau regarding the application of personal data processing provisions stipulated in this Decree by Law.
e. Any other tasks or powers which are determined in accordance with the Executive Regulations of this Decree by Law. - The Data Protection Officer shall maintain the confidentiality of information and data it receives in implementation of its duties and powers in accordance with provisions of this Decree by Law and its Executive Regulations and in accordance with the legislations in force in the State.
FAQs
The Data Protection Officer (DPO) is responsible for overseeing the entity’s compliance with the PDPL. This includes monitoring internal data processing activities, advising the Controller or Processor on their data protection obligations, handling inquiries from the UAE Data Office, and serving as a point of contact for Data Subjects. The DPO also supports the implementation of privacy policies and ensures staff are aware of data protection responsibilities.
Yes. While the DPO is not solely responsible for implementing technical and organizational measures, they play a key advisory and oversight role. The DPO ensures that such measures are in place to safeguard personal data and that they align with the requirements of the PDPL. This includes guidance on data minimization, access controls, encryption, risk assessments, and incident response plans.
Yes. The DPO is legally required to maintain confidentiality regarding the performance of their duties. This includes not disclosing sensitive information related to data subjects, internal processes, or investigations unless authorized by law. Confidentiality ensures the DPO can operate independently and objectively, especially when assessing compliance or reporting issues to senior management or the Data Office.