Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 10
Appointing Data Protection Officer
- The Controller and Processor shall appoint a Data Protection Officer, who has sufficient skills and knowledge of the Personal Data Protection Law, in any of the following cases:
a. If processing would cause a high-level risk to the confidentiality and privacy of the Personal Data of the Data Subject as a result of adopting new technologies or with regard to the volume of data.
b. If processing would involve a systematic and comprehensive assessment of Sensitive Personal Data, including Profiling and Automated Processing.
c. If processing would be carried out on a large volume of Sensitive Personal Data. - The Data Protection Officer may be an employer of the Controller or the Processor or authorized by them, whether inside or outside the State.
- The Controller or the Processor shall specify the contact details of the Data Protection Officer and notify the Bureau of the same.
- The Executive Regulations of this Decree by Law shall specify the types of technologies and criteria for determining the volume of data required in accordance with this Article.
FAQs
A Data Protection Officer (DPO) must be appointed if the processing involves a high risk to the privacy and confidentiality of personal data. This includes cases where processing is conducted on a large scale, involves sensitive personal data, or includes systematic and automated profiling. The exact thresholds for “high risk” may be further clarified by the Executive Regulations or by the UAE Data Office.
Yes. The PDPL permits the appointment of either an internal employee or an external service provider as a DPO. What matters is that the DPO has sufficient expertise in data protection laws and practices, can perform their duties independently, and has direct access to top management. Outsourcing the role is especially common for small or mid-sized entities without in-house expertise.
Yes. Once a DPO is appointed, the Controller or Processor must notify the UAE Data Office (also referred to as the Bureau) of the DPO’s contact details. This enables the Bureau to communicate directly with the DPO regarding compliance matters, audits, or data protection inquiries. The notification must follow the format and procedures set out by the Bureau.