UAE Trends and Developments Contributed by: Kokila Alagh and Akshata Namjoshi, Karm Legal Consultants
tance of considering whether the data subject is a minor when applying the test. The guidance emphasises that, when minors exercise their right to access information, the provided data must be communicated in a clear, transparent and easily understandable manner tailored to their level of understanding. Analysis Under the PDPL, minors are treated the same as adults for data processing. However, both the DIFC DP Law and the ADGM DPR introduce more tailored protections for minors. In the DIFC, minors are granted an absolute right to reject automated processing, while the ADGM frame - work incorporates a proportionality test that places special emphasis on the data subject’s minor status when justifying processing based on “legitimate interest”. These measures dem - onstrate a heightened sensitivity to the unique risks and needs involved in handling the per - sonal data of minors. Appointment of a Data Protection Officer PDPL Under the PDPL, a Data Protection Officer (DPO) must be appointed when: • processing activities pose a significant risk to the confidentiality and privacy of personal data due to the use of emerging technologies or the large volume of data processed; • processing involves a systematic and com - prehensive evaluation of sensitive data, including profiling or automated processing; or • a substantial volume of sensitive personal data is being handled. DIFC DP Law A DPO is required under the DIFC DP Law only when a controller or processor is engaged in
“high risk activities” on a regular or systematic basis that includes: • processing a considerable amount of per - sonal data via use of novel technologies or methods resulting in a high risk to the data subject; • processing that involves automated process - ing, including profiling, where inferences from such processing will form the basis of legally binding decisions; or • where a material amount of special categories of personal data is to be processed. ADGM DPR The ADGM DPR mandates the appointment of a DPO if an organisation is involved in: • large-scale processing or continuous moni - toring of data; and • processing activities that involve considerable amounts of special category personal data. Analysis All three frameworks – the PDPL, DIFC DP Law and ADGM DPR – set similar thresholds for DPO appointment. They each require a DPO in sce - narios where data processing presents elevated risks, whether due to the volume of data, the sensitive nature of the information involved, or when systematic processing activities occur. This unified approach ensures that organisations managing high-risk data-processing operations have dedicated oversight to maintain robust compliance with data protection standards. International Transfers PDPL Under the PDPL, personal data transfers outside the UAE are permitted if the recipient’s jurisdic - tion has adequate data protection laws or if a bilateral agreement exists. If neither applies,
510 CHAMBERS.COM
Powered by FlippingBook