Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 18
Right to Processing and Automated Processing
- The Data Subject shall have the right to object to any decisions resulting from automated processing, including profiling, particularly those decisions which have legal impact on or adversely affect the Data Subject.
- Notwithstanding Paragraph 1 of this Article, the Data Subject may not object to the decisions resulting from automated processing in the following cases:
a. If the automated processing is agreed upon under the contract made between the Data Subject and the Controller.
b. If the automated processing is required under other legislations which are applicable in the State.
c. If the Data Subject gives prior consent to the automated processing as set out in Article (6) of this Decree by Law. - The Controller shall adopt appropriate measures to protect the privacy and confidentiality of the Data Subject’s Personal Data in the cases referred to in Paragraph 2 of this article and shall not cause any prejudice to the Data Subject’s rights.
- The Controller shall include the human element in reviewing automated processing decisions at the request of the Data Subject.
FAQs
Yes. Data Subjects have the right to object to decisions made solely through automated processing including profiling, if those decisions produce legal effects or significantly impact them. They can request human intervention, express their point of view, and contest the decision. This ensures that individuals are not subjected to purely algorithmic judgments without recourse.
Yes. The right to object may not apply if the automated decision is necessary for entering into or performing a contract between the Data Subject and Controller, authorized by UAE law, or based on the Data Subject’s explicit consent. Even in these cases, appropriate safeguards such as the right to obtain human review must be in place.
Yes. When automated processing is used to make impactful decisions, Controllers must implement measures that include human oversight to ensure fairness, transparency, and accountability. This may involve reviewing decisions, validating processing logic, and providing meaningful explanations to Data Subjects upon request.