Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations. Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside the country;
- people/entities outside the country being able to access or "see" personal data held in the country; and
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
The UAE Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) permits transferring personal data outside the country if (a) the country or territory has been deemed to have an adequate level of protection the UAE data protection authority or, if (b) the UAE has a bilateral or multilateral agreement relating to personal data protection with the country or countries where the data will be transferred.
Under the PDPL, personal data can also be transferred outside the UAE:
- if the employer (or other data controller or processor) operates in the UAE and in a country that does not have a data protection law, has a contract or agreement that obliges implementing provisions, measures, controls and requirements similar to the UAE’s protection of personal data laws;
- with the data subject’s express consent to the international personal data transfer, as long as the data is transferred in a manner that does not conflict with the security and public interest of the State;
- if necessary to fulfill obligations and establish, exercise or defend rights before judicial authorities;
- if necessary to enter into or execute a contract between the employer and an employee (or other data subject), or between the employer and a third party to achieve the data subject's interest;
- if necessary to perform a procedure relating to international judicial cooperation; or,
- to protect the public interest.
Federal Law No. 2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields (ICT Health Law) limits the transfer of personal data that is attributed to the health sector. The international transfer of health data protected under the ICT Health Law outside of the UAE is prohibited unless approval is obtained from the health authority or Minister. It’s unclear whether employers would be subject to the law with respect to health-related employment data or, if the law only applies to healthcare companies (i.e., medical providers and insurers).
Free Trade Zones
Some free trade zones in the UAE have requirements relating to international data transfers. For example, data transfers from the Dubai International Financial Center (DIFC) to a third-country or international organization can only take place if certain requirements are met (DIFC Law No. 5 of 2020). The Abu Dhabi Global Market (ADGM) also has specific requirements for the international transfer of data (ADGM Data Protection Regulations 2021).
The requirements in these free trade zones are generally consistent with European Union’s General Data Protection Regulation. Therefore, the international transfer of personal data transfer: needs to be to a country considered adequate (note: mainland UAE is not considered adequate); requires safeguards to be put in place (such as standard contractual clauses or binding corporate rules); or, a specific derogation needs to apply.
HR Best Practices: The UAE and Free Trade Zones have different requirements relating to the international transfer of personal data. The mainland UAE may have additional requirements in the future, once the PDPL regulations are in place.