Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations. Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside the country;
- people/entities outside the country being able to access or "see" personal data held in the country; and
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
There are generally no laws in mainland UAE restricting the international transfer of employment related personal data outside the UAE.
Federal Law No. 2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields (ICT Health Law) limits the transfer of personal data that is attributed to the health sector. The international transfer of health data protected under the ICT Health Law outside of the UAE is prohibited unless approval is obtained from the health authority or Minister. It’s unclear whether employers would be subject to the law with respect to health-related employment data or, if the law only applies to healthcare companies (i.e., medical providers and insurers). Implementing regulations are expected to provide more clarification in the future.
Free Trade Zones
Some free trade zones in the UAE have requirements relating to international data transfers. For example, data transfers from the Dubai International Financial Center (DIFC) to a third-country or international organization can only take place if certain requirements are met (DIFC Law No. 5 of 2020). The Abu Dhabi Global Market (ADGM) also has specific requirements for the international transfer of data (ADGM Data Protection Regulations 2015).
The requirements in these free trade zones are generally consistent with European data protection laws. Therefore, the international transfer of personal data transfer: needs to be to a country considered adequate (note: mainland UAE is not considered adequate); requires safeguards to be put in place (such as standard contractual clauses or binding corporate rules); or, a specific derogation needs to apply.
HR Best Practices:The UAE and Free Trade Zones have different requirements relating to the international transfer of personal data. While mainland UAE has few personal data protection requirements relating to employee data (excluding health data), Free Trade Zones often have international data transfer requirements that must be met.