Do I have to obtain employees' consent in order to collect their personal data?
The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
Generally, when collecting personal information in mainland UAE, consent should be obtained. Although there is no law setting out detailed requirements around fair processing or the collection of data, the failure to obtain consent in certain circumstances could mean that there is no defense available if a complaint is made under other laws, such as the Penal Code (Arts. 378 and 379) or the law on Combatting Cybercrimes. Penalties for breaches of these laws can be severe and include prison sentences as well as fines.
The UAE does not have any specific consent requirements in the context of employee related personal data, but transferring this data to a third party, publishing employee data (e.g. on a website or on social media), or obtaining data through intrusive means (e.g., though photography, video recordings or online monitoring) risks violating other laws. It is therefore good practice to obtain consent before carrying out any of these types of high-risk activities. For the mainland, these laws are enforced through local law enforcement, as there is no federal privacy regulator.
The processing of health data protected under the ICT Health Law (Federal Law No. 2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields) has additional restrictions. At this time, it’s unclear whether health-related employment data would be subject to this requirement or whether the law will only apply to healthcare companies such as medical providers and insurers.
Free Trade Zones
When free zones have a data protection law, the personal data should be processed and handled in accordance with that law. However, the federal UAE laws will generally also apply, except when they are explicitly excluded under the law of the relevant free zone.
General mainland criminal laws usually apply in free zones. Most of the relevant mainland criminal law provisions refer to the need for a "lawful permission" to undertake the activity in question. In the absence of a specific lawful permission, this is usually interpreted to mean that consent is required. Where free zones include laws that provide lawful permission, it will generally be sufficient to mitigate the risk under the mainland law.
However, the relevant mainland criminal laws are drafted more generally than data protection laws in many respects, so it is possible that a person employed in a free zone could make a complaint under a mainland law and that the police could decide to investigate and refer to the public prosecutor.
For example, if an employer chooses to publish information about an employee on social media, and the employee feels the information exposes them to ridicule, the employee can allege a breach of the Law Combatting Cybercrimes. Therefore, it is important for free-zone companies to carefully consider high-risk activities. If the activity is a discretionary one, it may be worth seeking the employee’s consent to the specific activity, even if it is not required under the free zone law.
Some free trade zones in the UAE have specific requirements relating to the collection of personal data, including employee data. For example, the Dubai International Financial Center (DIFC) and the Abu Dhabi Global Market (ADGM) both have requirements similar to the European Union’s General Data Protection Regulation, with consent being one of the lawful options to process personal information. However, these are jurisdictions based on the common law system and they will lean heavily on UK and European jurisprudence and guidance when interpreting their laws. Using consent in the employment context is often questionable under EU law, due to the unequal employee/employer relationship (i.e., the employee may not be able to give their free consent). Generally, the best basis for processing employee personal data under the ADGM and DIFC laws will usually be that:
- it is necessary to collect the personal data for the performance of the employment contract, and/or
- it is in the legitimate interests of the employer to do so (demonstration of the legitimate interest may require an impact assessment).
In the DIFC and ADGM, the processing of special categories of personal data is permitted in the context of employment (i.e. For recruitment, visa or work permit processing, the performance of an employment contract, administration of pensions, etc.) (DIFC Law No. 5 of 2020, Art. 11b and ADGM Data Protection Regulations 2021, Section 7(2)(b)).
The DIFC and the ADGM both require providing the employee (or other data subject) with specific information about the employer (or other data controller) and the processing of personal information (DIFC Law No. 5 of 2020; ADGM Data Protection Regulations 2021). They also both have additional processing requirements when sensitive or special categories of personal data will be processed.