UAE Trends and Developments Contributed by: Kokila Alagh and Akshata Namjoshi, Karm Legal Consultants
Courts or the Commissioner in the inter- ests of the DIFC. (b) exercise of a DIFC body’s powers and functions; or (c) the exercise of powers or functions vested by a DIFC body in a third party to whom personal data is disclosed by the DIFC body. • In pursuance of a “legitimate interest” of the controller. ADGM DPR • For performance of a contract. • For compliance with legal obligations. • For protecting the vital interests of the data subject. • Where processing is necessary for the per - formance of a task carried out by a public authority in the interests of the ADGM, or in the exercise of: (a) the ADGM; (b) the Financial Services Regulatory Author - ity; (c) the ADGM Courts; (d) the registration authority’s functions; or (e) official authority vested in the controller under applicable law. • In pursuance of a “legitimate interest” of the controller. Analysis The PDPL, DIFC DP Law and ADGM DPR pro - vide distinct yet overlapping legal bases for data processing. All three prioritise protecting vital interests and fulfilling contractual or legal obligations. While the DIFC DP Law and ADGM DPR recognise “legitimate interests” as a basis, the PDPL does not, instead focusing on public interest and health-related processing. Togeth - er, these frameworks balance legal compliance, individual rights and business needs, reflecting a
nuanced approach to data protection and regu - latory requirements. Whether “Consent” Is a Valid Basis for Processing of Data in the Case of an Employee PDPL Consent is recognised as a valid legal basis for processing personal data under the PDPL. However, the law does not expressly require that such consent be “freely given”. In practice, this means the PDPL does not explicitly address scenarios where power imbalances – such as those that might exist between employers and employees – could lead to consent that is less than voluntary. It is expected that future Execu - tive Regulations may provide additional clarity on this issue. DIFC DP Law/ADGM DPR In contrast, both the DIFC DP Law and the ADGM DPR – as interpreted through guidance issued by their respective data protection authorities – mandate that consent must be “freely given”. These frameworks are to be read alongside UK and EU standards, which emphasise that data subjects must have a genuine, uninfluenced choice when consenting, ensuring that no party is coerced into agreeing to data processing. Analysis The PDPL accepts consent as a legal basis for processing without an explicit requirement for it to be “freely given”, leaving potential issues unaddressed –such as power imbalances between employers and employees. On the oth - er hand, the DIFC DP Law and the ADGM DPR take a more robust stance by requiring that con - sent be given voluntarily. This stricter require - ment aligns these frameworks with international best practices, thereby better safeguarding the autonomy of data subjects in all contexts.
508 CHAMBERS.COM
Powered by FlippingBook