UAE Trends and Developments Contributed by: Kokila Alagh and Akshata Namjoshi, Karm Legal Consultants
regardless of location. Its extraterritorial scope ensures robust data protection for all process - ing activities conducted through local means or personnel within the financial centre. The Office of the Commissioner of Data Protec - tion (the “Commissioner”) is the designated reg - ulatory body responsible for enforcing these pro - visions. The Commissioner handles complaints from data subjects, oversees compliance with both the law and the regulations, and works to enhance public understanding of data protection principles. Inadvertently obtained information Amendments of 1 September 2023 to the DIFC DP Regulations introduced key updates where individuals who inadvertently receive personal data are now classified as “temporary custodi - ans” and must notify the owner or the Commis - sioner and delete the data to avoid liability for unauthorised processing. Marketing and communications Marketing rules mandate that data subjects be clearly informed of their right to limit data use. Organisations must provide intuitive pri - vacy options, such as clear selection boxes and accessible language, to ensure transparency in data collection and usage. Processing via autonomous and semi- autonomous systems For the first time, AI and semi-autonomous sys - tems fall under regulation. Entities using such technologies must notify data subjects about data-processing purposes, system design prin - ciples and any certifications. The amendments establish key AI design principles, including eth - ics, fairness, transparency, security and account - ability, ensuring responsible and compliant data use. These changes strengthen the DIFC’s data
protection framework, reinforcing privacy rights and ethical technology deployment. ADGM The ADGM Data Protection Regulations (the “ADGM DPR”) set the legal framework for per - sonal data protection within the ADGM. Issued on 14 February 2021, they took effect on 14 Feb - ruary 2022 after a one-year transition. Enforced by the Office of Data Protection under the Com - missioner, the regulations also apply beyond the ADGM as follows: • entities outside the ADGM may be subject to them if their processing activities are directly linked to an ADGM-based entity; and • where the ADGM entity’s revenue is tied to such external processing. Territorial Application The data protection regimes in the UAE, DIFC and ADGM extend their reach beyond their physical boundaries, but each under its own set of conditions. PDPL (UAE mainland) Any controller or processor, wherever they are based, who processes personal data of individ - uals located in the UAE must comply with the PDPL. The regulation’s definition of “data sub - ject” is broad, covering all natural persons, and is not limited to the citizens or residents of the UAE. This means that even a tourist visiting the UAE temporarily is included within its scope, and any entity handling such personal data is subject to its provisions. DIFC Data Protection (DP) Law The DIFC DP Law applies to controllers and processors irrespective of their incorporation if they process personal data within the DIFC.
506 CHAMBERS.COM
Powered by FlippingBook