GDPR – Handle with Care


1. Introduction

The European Union’s General Data Protection Regulation (the “GDPR”) came into force and effect on 25th May 2018 with the aim to strengthen the control that individuals have over their personal data and to reduce the effects of data breaches in the European Union (“EU”). The implication of the GDPR is not limited to organisations or companies operating in the EU alone. In fact, it is intended to apply in an extraterritorial context. Meaning thereby that any organisation or company, whether located inside or outside of the EU, which deals with the EU citizens data (data subjects) are affected by the GDPR. Hence, in the United Arab Emirates (the “UAE”), any organisation or company that holds or handles EU citizens data are affected by the GDPR.

In this article, we highlight some of the key issues that the UAE companies should consider in order to be in compliance with the GDPR.


2. Scope

The GDPR applies to any organisation or company located outside of the EU, if they:

  1. have a physical presence in the EU (i.e. have a branch, subsidiary or representative in the EU);   
  2. offer goods or services to the EU citizens; or
  3. process and analyse EU based individuals’ personal data in any way (i.e. monitoring the online behaviour of the EU data subjects).

So, for instance, even if a UAE based company does not have a physical presence in the EU, but (i) targets or monitors EU residents’ data via cookies or apps, etc.; or (ii) is outsourcing the storage or processing of the data to service providers located in the EU; or (iii) sending material to EU based companies or data subjects, it will be caught by the GDPR provisions. Non-compliance of which may attract heavy penalties.

Hence, all UAE based organisations with any connection to the EU shall consider the impact of the GDPR and be cognisant of the cost attached to non-compliance of the same.


3. GDPR requirements

The basic GDPR requirements are straightforward and include the following:

  1. Appointment of a representative - Any organisation based outside of the EU which is processing personal data in relation to the offering of products or services to or monitoring the behaviour of the EU-based data subjects should designate a representative in the EU unless an exemption applies.
  2. Establish compliant accountability processes - Record of actual compliance, including processes for record keeping, appointment of a data protection officer or a EU representative, as above, if applicable, dealing with data subjects.
  3. Recordkeeping - Enhance recordkeeping responsibilities relating to data subjects approvals and requests for data modifications or deletions. Records must also be available to EU enforcement authorities upon their request.
  4. Deletion of data - Provision of reasonable means for data subjects to request the deletion of their information. Personal data should also be removed from other websites or files where it is stored or used, when requested.
  5. Data breach notification - Serious data breaches must be disclosed within 72 hours to applicable data protection authorities and potentially affected individuals, where feasible. For certain infringements, a company may be subject to fines of up to €20 million or 4% of its annual global turnover, whichever is higher.
  6. Adoption of privacy by design approach - The legal basis on which you process and transfer personal data between jurisdictions shall be clear, including conducting a data protection audit and updating privacy policies.
  7. Consent - Consent for the use of individual’s personal data must be clear and freely given. The data subject shall be informed of what the consent is used for and shall be able to withdraw the consent at any time.
  8. Limited use of data - Data collected shall only be used for the explicit purpose for which it was collected and to which the data subject specifically agreed to. So, for instance, data received from an online order cannot be used for marketing research purposes, unless the UAE based company discloses to the data subject that it will do so.


4. How to comply and what can TLG do for you? 

  • Seek legal advice as to whether and to what extent your organisation or company is caught by the GDPR’s scope;
  • Assess what personal data of the EU data subjects your company hold, where, how, and for what purpose the data is being processed. Ensure that the processing of personal data is for a valid purpose and is - fair, lawful and transparent;
  • Ensure that the entire organisation is aware of the legal risks associated with the GDPR so that they can remain pro-active. Procedure must also be in place where there is a breach and notification of the same to the relevant regulatory authority;
  • Review and update the agreements you have in place with your customers or third parties, for instance - standard terms of business in print and online terms of use, etc. and make them GDPR compliant. Existing data protection policies have to be amended if they are not fit for purpose, and new provisions should be inserted that specifically deal with the GDPR and are in compliance with other applicable UAE data protection legislation. Further, if your company manages consent data, consider whether they meet the new requirements - if not, all consents must be renewed;
  • Our legal team can assist you in determining and advising whether GDPR will apply to you and assess what needs to be amended to ensure that you are GDPR compliant. Depending on the outcome, we will ensure that your companies’ policies and processes adhere to both the UAE applicable laws and the GDPR.

Article by Kochi Vasylyeva, Legal Associate, Corporate & Commercial Division.