Each of the six countries forming the GCC now have a personal data protection regime in place, the most recent being the Personal Data Protection Law of Saudi Arabia (Saudi PDPL) which came into force on 17 March 2023. This article provides a brief overview of the current data protection, privacy landscape and key provisions in the United Arab Emirates (UAE) and the Kingdom of Saudi Arabia (KSA), that your business should be considering when localising privacy policies, internal policies for the transfer of data as well as procedures for data breaches. On a general note, in both jurisdictions, the laws are new and we are waiting to see enforcement in practice as well as Executive Regulations to give further clarification of the laws. As such, it is an optimal time to clean up internal policies/frameworks to ensure you’re not caught in the cross hairs of regulatory force as they begin to roll out

United Arab Emirates

Relevant Law: Federal Decree Law No. 45 of 2021 on the Protection of Personal Data (UAE PPDL) Regulator: The UAE Data Office Applies to: processing of personal data

• Of any Data Subject residing or has a place of business in the UAE
• by any Controller or Processor located inside the UAE processing personal data of a Data Subject inside the UAE
• by any Controller or Processor located outside the UAE processing personal data of a Data Subject inside the UAE.
• Processing personal data is prohibited without the consent of the Data Subject except in certain circumstances set out in the UAE PPDL. Transferring personal data: The personal data may be transferred outside the UAE if there is an adequate level of protection in the country to which the data is to be transferred. If there is not an adequate level of protection, data may be transferred outside the UAE
• under a contract or agreement that obliges the entity in the country without adequate protection to implement the provisions, measures, controls and requirement set out in the UAE PPDL
• if express consent of the Data Subject is obtained
• if the transfer is necessary to comply with a legal obligation, enter into or execute a contract between the Controller and Data Subject, or between the Controller and a third party to achieve the Data Subject’s interest, perform a procedure relating to international judicial cooperation or protect the public interest.

Breach notification requirements: The Controller must notify the regulator immediately upon becoming aware of the breach. The Data Subject must be notified in the event that the breach would prejudice the privacy, confidentiality and security of the data. The UAE PPDL keeps intact existing data protection and privacy laws within the UAE’s financial free zones, DIFC and ADGM, the rules of the Dubai Health Care City, as well as applicable onshore laws regulating health data and banking and credit data. For this reason the data protection landscape in the UAE (and the wider GCC region) remains complex to navigate and somewhat fragmented, meaning that the application of the UAE PPDL will need to be considered carefully depending on where your business is operating and situated. The specifics and particulars of the law and requirement will be set by the Executive Regulations of the UAE PPDL which are yet to be released as at the date of this article. We are well versed in requirements across the UAE, within each jurisdiction both on shore and in the free zones, and can assist to navigate the ongoing changes and complexities within the data privacy landscape required to localise your policies for appropriate compliance