UAE Law and Practice Contributed by: Saifullah Khan and Saeed Hasan Khan, Bizilance Legal Consultants
5. International Considerations 5.1 Restrictions on International Data Transfers The UAE Law provides that personal data may only be transferred outside the UAE to a jurisdic - tion with a law in place covering various aspects as to the protection of personal data (ie, an ade - quate level of protection). The personal data may also be transferred to those countries with whom the UAE has bilateral or multilateral agreements in respect of personal data protection. The DIFC Law provides that personal data may be transferred to a third country or to an interna - tional organisation on the basis of an adequate level of protection, as determined by the Com - missioner of Data Protection. A list of adequate jurisdictions is issued through the DIFC Data Protection Regulations. The ADGM Regulations allow the transfer of personal data outside the ADGM or to an inter - national organisation, where the Commissioner has decided that the receiving jurisdiction or the international organisation ensures an adequate level of protection. 5.2 Government Notifications and Approvals There is no requirement for any government noti - fications or approvals in order to transfer data internationally, except as discussed in 5.3 Data Localisation Requirements related to health data. 5.3 Data Localisation Requirements There is no requirement of data localisation, except for health information and data, which – under Federal Law No 2 of 2019 – may not be stored, processed, generated or transferred outside the UAE, except upon a decision issued
4.3 Employment Privacy Law Federal Decree Law No 33 of 2021, regarding the regulation of employment relationships, pro - vides that a worker should maintain the confi - dentiality of information and data to which they have access by virtue of their work. The UAE Law, the DIFC Law and the ADGM Reg - ulations do not contain any provision concerning the role of labour organisations, whistle-blowing or e-discovery. 4.4 Transfer of Personal Data in Asset Deals In the UAE, data processing in the context of asset deals must comply with both federal and sector-specific data protection regulations. Data processors must abide by the principles and obligations laid down by Federal Decree Law No 45 of 2021 on personal data protection, the DIFC Law of 2020 and the ADGM Data Protec - tion Regulations 2021. In addition, Article 120 of Federal Decree Law No 14 of 2018, concerning the Central Bank and the regulation of financial institutions and activi - ties, states that all customer data and informa - tion related to accounts, deposits, safe deposit boxes, trusts and associated transactions with licensed financial institutions are strictly confi - dential. Disclosure to third parties is prohibited without the account owner’s written consent or that of their legal attorney or authorised agent, except in cases permitted by law. This confiden - tiality obligation remains binding even after the termination of the customer’s relationship with the institution.
502 CHAMBERS.COM
Powered by FlippingBook