Table of Contents
Article 1: Definitions
Article 2: Scope of Application of the Decree by Law
Article 3: Bureau's Power of Exemption
Article 4: Cases of Processing Personal Data without the Consent of its Owner
Article 5: Personal Data Processing Controls
Article 6: Terms of Consent to Data Processing
Article 7: The Controller's General Obligations
Article 8: The Processor's General Obligations
Article 9: Reporting Personal Data Breach
Article 10: Appointing Data Protection Officer
Article 11: Roles of Data Protection Officer
Article 12: Duties of the controller and the processor towards the Data Protection Officer
Article 13: Right to Receive Information
Article 14: Right to Request Transfer of Personal Data
Article 15: Right to correction or erasure of Personal Data
Article 16: Right to Restrict Processing
Article 17: Right to Stop Processing
Article 18: Right to Processing and Automated Processing
Article 19: Contacting the Controller
Article 20: Personal Data Security
Article 21: Assessment of the Impact of Personal Data Protection
Article 22: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available
Article 23: Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available
Article 24: Complaints
Article 25: Grievance against the Bureau's Decisions
Article 26: Administrative Penalties
Article 27: Authorization
Article 28: The Executive Regulation
Article 29: Regularisation
Article 30: Repeals
Article 31: Publication & Enforcement of this Decree by Law
Article 5
Personal Data Processing Controls
Personal Data shall be processed according to the following controls:
- Processing shall be carried out in a fair, transparent and lawful manner.
- Personal Data shall be collected for a specific and clear purpose. It shall not be processed at Federal Decree by Law Concerning the Protection of Personal Data 9 any later time in a manner incompatible with such purpose. However, it may be processed if the purpose is similar or close to the purpose for which this data is collected.
- Personal Data shall be sufficient and limited to what is necessary in accordance with the purpose for which the processing is carried out.
- Personal Data shall be accurate and correct and shall be updated whenever necessary.
- The necessary measures shall be taken to ensure that incorrect Personal Data is deleted or corrected.
- Personal Data shall be kept securely, including protecting it from any violation, penetration, or illegal or unauthorized processing through the development and use of appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard.
- Personal Data shall not be kept after the purpose of its processing has been exhausted. It may be kept if the identity of the Data Subject has been concealed using the “Anonymization Mechanism”
- Any other controls set out in the Executive Regulations of this Decree by Law.
FAQs
Article 5 establishes key principles that must be followed when processing personal data. These include:
- data must be processed fairly, transparently, and lawfully
- it must be collected for specific, clear, and lawful purposes
- it must be limited to the minimum amount necessary for those purposes
- data must be protected against unauthorized access, alteration, or disclosure. These principles align with global best practices and ensure that personal data is handled responsibly at every stage of processing.
The PDPL requires that personal data be accurate, complete, and kept up to date. Controllers are responsible for taking reasonable steps to correct or delete inaccurate data without delay. Data Subjects also have the right to request correction or erasure of their inaccurate data, and Controllers must have mechanisms in place to facilitate and respond to such requests efficiently.
Personal data must not be retained for longer than is necessary to fulfill the purpose for which it was collected. Once the data is no longer needed, it must be securely deleted or anonymized, unless retention is required by UAE law, regulatory obligation, or for legal claims. Controllers are expected to establish clear retention policies and periodic review mechanisms to ensure compliance with this requirement.