What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
UAE’s Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL) requires that data controllers, such as employers, and data processors appoint a Data Protection Officer if the personal data processing:
- would cause a high-level risk to the confidentiality and privacy of a data subject’s personal data as a result of adopting technologies that are new or associated with the amount of data;
- involves a systematic or comprehensive assessment of sensitive personal data, including profiling and automated processing; and/or,
- would be made on a large amount of sensitive personal data.
The PDPL defines sensitive personal data as any data that directly or indirectly reveals a natural person's family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to health (including physical, psychological, mental, genetic or sexual condition, and information related to health care services that reveals health status).
DPOs must have sufficient skills and knowledge about personal data protection. DPOs are responsible for:
- verifying the quality and validity of procedures adopted by the controller (i.e., the employer) or processor;
- receiving personal data related requests and complaints;
- providing technical advice relating to procedures of periodic evaluation and examination of personal data protection systems and intrusion prevention systems, documenting the evaluation results, and providing appropriate recommendations;
- acting as a liaison with the data protection authority regarding the implementation of personal data protection processing.
Additional information DPO requirements will be determined by the Executive Regulations.
Some free trade zones in the UAE require data protection officers in certain cases. For example, the Dubai International Financial Center requires appointing a DPO when an employer (or other Controller) or Processor is performing high-risk processing activities on a systematic or regular basis (DIFC Law No. 5 of 2020, Art. 6). The Abu Dhabi Global Market requires that employers (and other Controllers and Processors) appoint DPOs when: (i) they are a public authority; (ii) when engaging in core activities that consist of regular and systematic monitoring of data subjects on a large scale; or, (iii) when engaging in core activities that consist of processing special categories of personal data on a large scale (ADGM Data Protection Regulations 2021, Section 35).