Take the first steps in your compliance journey!


Frequently asked questions.


Here are some key terminology in understanding privacy.

What is personal data ?

Personal data covers any data relating to a natural person or relating to a natural person who can be identified directly or indirectly by linking data.

It covers, without limitation:

  • name
  • date of birth
  • voice
  • picture
  • phone numbers
  • addresses
  • citizenship
  • identification number
  • social security number
  • financial information
  • employment details
  • educational information
  • electronic identifiers
    • email addresses
    • geo location
    • IP addresses
    • cookie identifiers
    • RFID tags
    • MAC addresses
    • advertising IDs
    • pixel tags
    • account handles
    • device fingerprints

or one or more of the natural person’s physical, physiological, economic, cultural or social characteristics which can also include sensitive personal data.

What is sensitive personal data ?

Sensitive data are special categories of personal data that directly or indirectly can reveal information about a natural person such as:

  • family, racial or ethnic origin
  • political opinions
  • religious denomination
  • philosophical beliefs
  • criminal record
  • union membership
  • genetic data and biometric data
  • physical or mental health
  • sexual life or sexual orientation

This kind of personal data can be more sensitive in nature and therefore requires a higher level of protection.

Who can be a data subject ?

A data subject is the natural person whose data is being processed and can interact with your company in various way such as:

  • online users
  • employees of your company
  • candidates for employment
  • individual clients
  • contacts from legal clients
  • individual suppliers
  • contacts from legal suppliers
What is data processing ?

"Processing" means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Who can process data ?

Data Processor (DP)

The DP – who may be a person, organisation, company, charity, etc. – that processes personal data on behalf of, under the direction and in accordance with the instructions of the DC - Data controller. This is usually under a contract with the DC

Data Controller (DC)

The DC determines the purposes for which – and the manner in which – any personal data is processed. This can be an individual (e.g. a self-employed consultant) or an organisation or a corporate or unincorporated body (e.g., a limited company, charity, PLC).

Rights & obligations

Here are some of your rights or obligations.

Who does the Law apply to ?

The Law applies to the processing of all personal data by controllers and processors located in the UAE whether or not the personal data processing relates to data subjects in the UAE or abroad. It covers the personal data of data subjects residing or working in the UAE

What are the rights of data subjects ?
  • right to access the information
  • right to data portability
  • right to the rectification or erasure of personal data (i.e. the right to be forgotten)
  • right to restrict personal data processing
  • right to object to personal data processing (e.g. for marketing purposes)
  • right to object to decisions resulting from automated processing (including profiling) that have legal consequences or seriously affect the data subject

Data subjects can file complaints with the Data Office if they have reason to believe there has been a breach of the Law in relation to the processing of their personal data

What are the responsibilities of a data procesor ?

The data processor may be a person, organisation, company, charity, etc. that processes the data on behalf of the Data Controler (DC). This is usually under a contract with the DC.

Responsabilities of a Data processor
  • only process personal data in accordance with the controller’s instructions
  • only process on the basis of any agreements signed between the controller and the processor.
  • must apply appropriate technical and organizational measures to protect personal data and secure the processing process
  • maintain a special record of the personal data processed on behalf of a controller
  • ensure that processing is in accordance to the specified purpose and specified processing period
Responsabilities of a Controler
  • determines the legal basis, purposes for which – and the manner in which – any personal data is processed.
  • take appropriate technical and organizational measures to protect personal data
  • manage automatic processing to ensure it is limited to its intended purpose
  • maintain a “special record” of personal data (and making it available to the Data Office on request
  • ensures processors provide sufficient guarantees
  • implement technical and organisational measures necessary to meet the requirements of the Law.
  • assess any proposed processing operations where the use of technologies could pose a high risk to the privacy of personal data ( Create DPIA’s )
  • report details of any breach that compromises the privacy, confidentiality or security of data subjects
How should personal data be processed ?
Key principles of processing
  • processing in a fair, transparent and lawful manner
  • collecting personal data only for a specific and clear purpose
  • only processing such personal data as it necessary based on the specific purpose 
  • keeping personal data accurate, correcting or deleting inaccurate personal data
  • keeping personal data secure
  • only keeping personal data for as long as required based on the specific purpose and then either deleting or anonymising it.
Legal basis for processing
  • only be processed with the consent of the data subject
  • except in certain limited circumstances such as :
    • processing where necessary to implement, conclude, amend or terminate a contract with a data subject 
    • for a controller or data subject meeting obligations and exercising employment/social protection rights.
    • data subject has made the personal data public
    • protect the interests of the data subject
    • processing is necessary for claiming legal rights or as part of judicial or security procedures
    • processing is necessary for certain medical purposes or matters of public health 
    • for archival purposes or for scientific, historical and statistical studies

What to do

Here are some tips on what to do and what not to do.

When is processing likely to result in a high risk to the rights of data subjects?

The following list details some processing operations, in particular by using new technologies, and taking into account the nature, scope, context and purposes of the processing which are ‘likely to result in high risk’ for the rights and freedoms of a natural person.

Type of processing operation(s) Description Non-exhaustive examples of areas of application
Large-scale profiling Any profiling of individuals on a large scale
  • Data processed by Smart Meters or IoT applications
  • Hardware/software offering fitness/lifestyle monitoring
  • Social-media networks
  • Application of AI to existing process
Biometric data Any processing of biometric data for the purpose of uniquely identifying an individual.
  • Facial recognition systems
  • Workplace access systems/identity verification
  • Access control/identity verification for hardware/applications (including voice recognition/fingerprint/facial recognition)
Data matching Combining, comparing or matching personal data obtained from multiple sources
  • Fraud prevention
  • Direct marketing
  • Monitoring personal use/uptake of statutory services or benefits
  • Federated identity assurance services
Invisible processing Processing of personal data that has not been obtained direct from the data subject
  • List brokering
  • Direct marketing
  • Online tracking by third parties
  • Online advertising
  • Data aggregation/data aggregation platforms
  • Re-use of publicly available data
Tracking Processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment
  • Social networks, software applications
  • Hardware/software offering fitness/lifestyle/health monitoring
  • IoT devices, applications and platforms
  • Online advertising
  • Web and cross-device tracking
  • Data aggregation / data aggregation platforms
  • Eye tracking
  • Data processing at the workplace
  • Data processing in the context of home and remote working
  • Processing location data of employees
  • Loyalty schemes
  • Tracing services (tele-matching, tele-appending)
  • Wealth profiling – identification of high net-worth individuals for the purposes of direct marketing

The controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Impact Assessments (DPIA) is required

What should organisations do next?

Not already developed a compliance framework

  • Create a data map and a Record of Processing Activity
  • Examine all outside countries and jurisdictions to which data is routinely transferred.
  • Create consent forms and disclosures for the processing
  • Similarly, employee contracts may need to be revised to reflect data protection provisions
  • Establish a breach response plan
  • Develop a Data Protection Impact Assessment, Vendor Assessment Questionnaire and Privacy Impact Assessment documents
  • Build up DSAR ( Data Subject Access Requests ) processes
  • Train all staff on the new data privacy requirements and processes
  • Appoint a data protection officer.

Organisations that already comply with the GDPR.

  • Appoint a DPO for the UAE
  • Review the scope of processing subject to sector or free zone-specific data protection laws
  • Establish the legal basis for processing that relies on legitimate interests under the UAE Privacy laws
  • Review data transfers from the UAE
  • Update the record of processing
  • Ensure the organisation can comply with data breach reporting requirements
Are the cookies and privacy policies on the website sufficient ?


The policies on the company's website are a good start, but not enough for your business to comply with the UAE privacy laws. In addition to these policies, there are many other documents and procedures to be implemented by the company:

  • information notes for employees and candidates, suppliers
  • internal processing registry
  • procedures for security breaches
  • data transfer contracts
  • and so on
What are the penalties for noncompliance ?
GDPR Fines and Penalties can be:
  • up to EUR 20m ( £18.5m ) or 4% of total worldwide turnover (whichever is higher) for very serious breaches
  • up to EUR 10m ( £18.5m ) or 2% of total worldwide turnover (whichever is higher) for serious breaches.

Answer a few simple questions to get a quick privacy audit of your business and find out what initial documents are required for your compliance. It takes less than 5 minutes

We are currently developing this section.

Comming soon