Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 20
Personal Data Security
- The Controller and the Processor shall develop and take appropriate technical and regulatory measures to ensure the highest standard of information security that is suitable for the risks related to data processing in accordance with the best international practices and standards. This shall include the following:
a. Encryption of Personal Data and the application of Pseudonymisation.
b. Applying measures which ensure the continuous confidentiality, safety, accuracy and flexibility of data processing systems and services.
c. Applying measures which ensure timely retrieval of and access to Personal Data in case of any actual or technical failure.
d. Applying measures which ensure a seamless testing and evaluation of the effectiveness of the technical and regulatory measures to ensure the security of processing. - When evaluating the information security level as set out in Paragraph1 of this Article, the
following shall be observed:
a. Data processing risks, including damage, loss, accidental or illegal change and disclosure of or access to the Personal Data, whether being transferred, stored or processing.
b. The costs of data processing, and its nature, scope and purposes, in addition to potential risks impacting the confidentiality and privacy of the Data Subject’s Personal Data.
FAQs
Under Article 20, Controllers and Processors must implement appropriate technical and organizational measures to ensure a level of security that is proportionate to the risk posed by their processing activities. These measures may include data encryption, pseudonymization, access controls, secure storage, regular vulnerability assessments, and business continuity planning. The goal is to protect personal data against unauthorized access, alteration, loss, or destruction.
Yes. Controllers and Processors are obligated to continually assess the effectiveness of their security measures. This includes regularly testing, evaluating, and updating both technical safeguards (like software and firewalls) and organizational procedures (like employee training and access protocols). The UAE Data Office may also issue more specific regulatory standards that entities must follow.
Article 20 requires Controllers and Processors to ensure that all personnel who have access to personal data are bound by strict confidentiality obligations. This may be enforced through employment contracts, internal policies, and training. Only authorized individuals should have access to personal data, and such access must be limited to what is necessary for their job functions.