UAE Trends and Developments Contributed by: Kokila Alagh and Akshata Namjoshi, Karm Legal Consultants
In practice, this means that, if data processing occurs via means or personnel operating in the DIFC, the entity must adhere to the DIFC DP Law, ensuring full compliance within the centre. ADGM DPR The extraterritorial application of the ADGM DPR is more circumscribed. For controllers or proces - sors outside the ADGM to fall under its juris - diction, there must be a direct and substantial connection to an ADGM-based entity. In other words, the external processing must be integral - ly linked to the operations of a company within the ADGM, with the revenue generated by the ADGM entity being demonstrably tied to those processing activities. Analysis The UAE PDPL has a broad extraterritorial scope, applying to any processing of personal data involving individuals in the UAE, regard - less of the controller’s or processor’s location – even covering tourists. In contrast, the DIFC DP Law applies based on where processing occurs, focusing on whether the means or per - sonnel are in the DIFC, irrespective of the data subjects’ locations. The ADGM DPR takes a narrower approach, applying to foreign entities only if there is a strong, demonstrable link to an ADGM-based company, ensuring jurisdiction is limited to processing activities closely tied to the company’s services and revenue. Non-Consent-Based Legal Basis for Processing of Data “Consent” is a key principle in personal data pro - cessing, ensuring that data subjects retain con - trol. The PDPL, DIFC DP Law and ADGM DPR set strict consent criteria. The PDPL requires consent to be specific, informed and unambigu - ous, with clear details on processing purposes and the controller’s identity. The DIFC DP Law
and ADGM DPR further mandate that consent be “freely given”, preventing coercion. However, consent is not always the sole legal basis for processing. These frameworks also outline alter - native grounds, allowing data processing with - out consent, and ensuring a balanced approach between regulatory compliance, individual rights and business or public interest needs. This applies as follows. PDPL • For protection of public interest. • Where personal data has been made public by the data subject, to initiate or defend legal claims and judicial/security procedures. • While facilitating healthcare, employee capac - ity assessment or social care system man - agement. • While facilitating public health protection (diseases, epidemics) and ensuring safety of medical products/medicines. • While facilitating scientific/historical/statistical purposes as mandated by State legislation. • For protection of the interests of the data subject. • While facilitating fulfilment of legal obligations and exercising rights in relation to employ - ment, social security and social protection, as permitted by relevant laws. • While facilitating fulfilment of contractual obligations or amending, concluding and terminating a contract at the request of the data subject. DIFC DP Law • For performance of a contract. • For compliance with legal obligations. • For protecting the vital interests of the data subject. • Where processing is necessary for: (a) performance of a task carried out by the Dubai Financial Services Authority, DIFC
507 CHAMBERS.COM
Powered by FlippingBook