Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 23
Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
- Notwithstanding Article (22) of this Decree by Law, Personal Data may be transferred to outside the State in the following cases:
a. Companies, operating in countries where there are no laws for Data Protection, may transfer data under a contract or agreement obligating the companies in such countries
Federal Decree by Law Concerning the Protection of Personal Data 26 to adopt measures, controls and requirements set out in this Decree by Law, in addition to provisions forcing the Controller or the Processor to adopt appropriate measures which are imposed by a judicial or regulatory authority in such countries as set out in the contract.
b. If there is an explicit consent granted by the Data Subject to transfer his/her Personal Data outside the State, provided that such transfer shall not contradict the public or security interest of the State.
c. If the transfer is necessary to fulfil obligations and establish rights before judicial entities, exercise or defend the same.
d. If the transfer is necessary to sign or implement a contract made between the Controller and the Data Subject, or between the Controller and third parties to serve the interest of the Data Subject.
e. If the transfer is necessary to implement an action related to an international judicial cooperation.
f. If the transfer is necessary to protect the public interest. - The Executive Regulations of this Decree by Law set forth the controls and stipulations referred to in Paragraphs (1) of this Article, which should be observed during the transfer of data outside the State.
FAQs
Personal data may be transferred to countries that do not offer an adequate level of protection only under specific, exceptional conditions. These include:
- Explicit and informed consent: The Data Subject has provided clear permission after understanding the implications.
- Contractual necessity: The transfer is required to perform or conclude a contract with the Data Subject.
- Protection of vital interests: The transfer is essential in life-threatening situations to safeguard the subject’s welfare.
- Public interest: The transfer serves a significant public interest purpose.
- Legal claims or defense: Transfers are needed for filing or defending legal claims.
- Compliance with UAE law: The transfer is mandated by relevant UAE legislation.
Binding Corporate Rules (BCRs) are internal data protection policies used by multinational companies to allow cross-border transfers of personal data within the same corporate group. These rules must be legally binding, approved by the UAE Data Office, and demonstrate compliance with the PDPL. BCRs must provide adequate safeguards and uphold the rights of Data Subjects.
Yes. The UAE Data Office (the Bureau) retains the authority to prohibit or suspend a transfer if it determines that the transfer poses a serious threat to the privacy rights of Data Subjects or is inconsistent with the PDPL. This supervisory power ensures that even legally justified transfers remain subject to regulatory oversight, particularly in high-risk or sensitive cases.