UAE Trends and Developments Contributed by: Kokila Alagh and Akshata Namjoshi, Karm Legal Consultants
transfers can proceed with a binding contract ensuring safeguards, explicit consent of the data subject, for legal compliance or for legal claims. Transfers are also allowed for contractual obliga - tions in the data subject’s interest, international judicial co-operation or safeguarding public interest. DIFC DP Law Under the DIFC DP Law, personal data trans - fers outside the DIFC are allowed if the recipient jurisdiction has adequate data protection laws. If there are no laws, transfers require legally bind - ing contracts, corporate rules or safeguards such as explicit consent, contractual necessity, legal compliance or public interest. Transfers are also valid for legal claims, vital interests, financial standards or AML/CFT compliance. If the data transfer does not fall under any of these conditions, it must meet the following additional criteria to be considered valid under the DIFC DP Law: • the transfer should not be repetitive or part of a continuous series of transfers; • it must concern only a limited number of data subjects; • it should be necessary for pursuing compel - ling legitimate interests of the controller; and • the controller must perform a comprehensive documentary assessment of all the circum - stances surrounding the transfer and ensure that suitable safeguards are in place. ADGM DPR Such transfers are permissible under specific conditions, as follows. Transfers are allowed to jurisdictions recognised by the ADGM Commissioner of Data Protection as providing an adequate level of data protec -
tion. The list of these jurisdictions is maintained and updated by the ADGM Office of Data Pro - tection. In the absence of adequate laws, data transfers require safeguards that include legally binding instruments, corporate rules, standard clauses, codes of conduct, or certification ensuring data rights and legal remedies. Transfers can also rely on explicit consent, public interest, legal compli - ance, vital interests, legal claims, or contracts facilitating performance and protecting the data subject’s interests. Analysis The data transfer rules across these jurisdic - tions clearly outline when personal data may be moved beyond their borders, leaving no room for ambiguity. This precise approach not only facilitates cross-border data flows in a practical and flexible manner but also maintains the con - fidentiality of personal data. In instances where the receiving jurisdiction lacks robust data pro - tection laws or formal bilateral agreements, the defined criteria provide both data subjects and organisations with the independence needed to manage their data transfers in line with their unique legal and operational requirements. Data Breach PDPL Organisations must establish mechanisms to detect and manage data breaches. While detailed breach notification timelines will be specified in the forthcoming Executive Regula - tions, companies must promptly inform the UAE Data Office of any incidents that could jeopard - ise data subjects’ rights and freedoms. DIFC DP Law Reporting data breaches to authorities
511 CHAMBERS.COM
Powered by FlippingBook