MP logo Meyer-Reumann & Partners
German Legal Expertise in the Middle East since 1981

The right to be forgotten- Impact of the new GDPR on companies in the UAE

Mariem Al-Ssayrafi

Author: Mariem Al-Ssayrafi
Lawyer.

Guiding Principle
Effective from May 25 2018, the new General Data Protection Regulation was set in force in the member states of the European Union, except in the UK. In times of increasing data-transparency due to a fast developing online culture, the EU decided to uniform the data protection regulations for all member states of the EU. However, what are the effects of this introduction for companies located in the UAE or is there any impact at all?
The answer to this question, as always, is simply, but complicated at the same time: it depends.

A. Overview of existing UAE Regulations
Unlike the EU, the UAE does have neither a federal data protection law nor a regional data protection law for the Emirate of Dubai. A comprehensive protection of personal data by companies collecting data is not required.

There are some specific regulations regarding data in place, but none of them equals a comprehensive data protection law. Art. 31 of the Constitution provides for a general right to privacy by providing that “freedom of communication by post, telegraph or other means of communication and the secrecy thereof shall be guaranteed in accordance with the law”. Along broadly held view, this provision has been intended to enshrine a basic right to privacy in relation to an individual’s personal and family affairs.

According to the Civil Code, (Federal Law No. 5 of 1985) wrongful invasion of this right to privacy might constitute a “wrongful act” for which a civil action for damages would lie. However, here the “wrongful act” is connected to “damage to reputation” and “invasion of privacy” (as granted by the Constitution).

According to Art. 378 of the Penal Code (Federal Law 3 of 1987) a person violates the private or familial life of individuals by perpetrating one of the following acts:

(1) “If he lends his ears, records or transmits, through an apparatus of any kind, conversations that took place in a private place or through the telephone or any other apparatus.

(2) Captures or transmits, through any kind of apparatus, the picture of a person in a private place

shall be sentenced to detention and to a fine unless authorized by law, or without the victim’s consent. People living in the UAE do have a right of protection of any personal data related to an individual or private family life, but only in regard of publication of this data.”

Beyond the above-mentioned regulations, the Electronic Transactions and Commerce Law (Federal Law No. 1 of 2006 and its corresponding Dubai Law No. 2 of 2002 relating to Electronic Transactions and Commerce) and the Cyber Crimes Law (Federal Law No. 5 of 2012), set out regulations connected to data, but not regarding to the commercial use of data.

In contrast with the UAE and the regulations applicable in the mainland of Dubai, the Dubai International Finance Centre (DIFC, a Freezone in the Centre of Dubai) has its own comprehensive data protection regulations in place. These regulations equal international and European standards, but are only applicable in the Freezone and not transferable to the mainland or other Freezones.

B. Time for an Internal Audit
Whether a company in the UAE has to be compliant with GDPR mainly depends on several factors.

I. Location
Companies located in the UAE, without a mother-company in the EU or head-office etc. do not fall under the scope of the GDPR. As mentioned above, neither a federal data protection law nor a regional data protection law for the Emirate of Dubai exists.

Nevertheless, companies dealing with European business partners or clients should not leave the GDPR completely aside. As GDPR compliance is mandatory for European companies, the probability is high that they will ask their business partners to be GDPR compliant as well. The possibility of the introduction of a comprehensive data protection law in the UAE, adapting to international standards (as in the DIFC), exists and should not be underestimated.

All the companies that are closely connected to their European “motherships” and do receive data for working, processing etc. are under the scope of GDPR. For some of them having their origin in countries that already had a good data protection law in place the changes might not be radically new, but still, awareness has to be created for the requirements that have to be fulfilled now and what changes in the company and its system have to be made.

II. The Type of Data
Another important factor that has to be considered related to GDPR is which kind of data is collected, processed etc. in a company. Article 4 (1) of the regulations describes that data in relation to GDPR means ‘personal data’. This means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

  • Name
  • identification number
  • location data
  • online identifier
  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data is the key point related to GDPR, as the new definition of personal data now comprises a way larger definition than in any before existing European data protection law. In times of digitalization the European states aimed to construct a piece of legislation to protect its citizens of an increasing transparency caused by the daily collection of personal data.

But as a logical consequence the GDPR also states in Recital 26 and Article 4 (5) “the principles of data protection should therefore not apply to anonymous information that is […….] data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

pseudonymisation means the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

Companies could circumvent the compliance requirements set out by the GDPR with a pseudonymisation / anonymization of data, if the connection to personal data is not required.

III. Is the Data really Needed and what is Done with It?
Companies that fall under the scope of GDPR should check now, where data is collected and what is done with this data and in particular, is this data really required?

If the answer is yes, an extended audit related to compliance with GDPR is required and necessary to avoid future problems and potential losses. This audit should be a combination of technical, as well as legal audit. A technical audit will be required to see if as well hard- and software fulfill the requirements that were now newly introduced by GDPR, i.e. the possibility of a data subject to request the deletion of its data. In this case, it is not enough to delete the data by putting it into the “digital trash bin”. This kind of deletion is just the overwriting of the data with new data, but the overwritten data is still not completely deleted. This means that mechanisms need to be implemented to secure, that requirements like this are met.

On the other hand, a legal audit going hand in hand with a technical audit should be conducted. Especially to see where exactly the new requirements have to be implemented, where exactly is the company positioned and what is required for every single company, as an all-round solution matching for all companies will not be possible.

C. Conclusion
Summarizing the above, it depends on many various factors, whether companies have to be compliant with GDPR and if, how? With the complexity on the technical as well as on the legal side, general advises related to GDPR are nearly impossible and should be treated with caution.

If you wish any legal assistance regarding this complex and difficult topic or help with your internal legal audit, we would be happy to assist you.

Share:
For free subscription send us your contact details to Lexarabiae@meyer-reumann.com