UAE Mainland: Applicability to Processing by Entities Registered or Incorporated in Jurisdiction

The UAE Federal Personal Data Protection Law (PDPL) applies to data processing activities carried out by controllers or processors located within the UAE, regardless of whether the data subjects are inside or outside the country.

Text of Relevant Provisions

Federal PDPL Art.2(1)(b):

"1. The provisions of this Decree Law shall apply to the Processing of Personal Data, whether totally or partially, through automatically operated electronic systems or other means, by:

b. any Controller or Processor located in the State who carries out the activities of Processing Personal Data of Data Subjects inside or outside the State."

Original (Arabic):

"1. تسري أحكام هذا المرسوم بقانون على معالجة البيانات الشخصية سواء كلها أو جزء منها عن طريق وسائل الأنظمة الإلكترونية التي تعمل بشكل تلقائي وآلي، أو غيرها من الوسائل الأخرى، وذلك من قبل:

ب. كل متحكم أو معالج متواجد يف الدولة يقوم مبزاولة أنشطة معالجة البيانات الشخصية ألصحاب البيانات يف الدولة أو خارجها"

Analysis of Provisions

The UAE Federal PDPL explicitly establishes its applicability to data processing activities based on the location of the controller or processor within the UAE. Article 2(1)(b) states that the law applies to "any Controller or Processor located in the State" (كل متحكم أو معالج متواجد يف الدولة). This provision clearly indicates that the physical presence or establishment of the entity in the UAE is a key factor in determining the law's applicability.

Furthermore, the provision extends the law's reach to cover the processing of personal data of data subjects both "inside or outside the State" (ألصحاب البيانات يف الدولة أو خارجها). This means that as long as the controller or processor is located in the UAE, the law applies regardless of the geographical location of the data subjects whose personal data is being processed.

The law also specifies that it applies to the processing of personal data "whether totally or partially, through automatically operated electronic systems or other means". This broad definition ensures that the law covers various types of data processing activities, regardless of the technology or methods used.

Implications

The implications of this provision for businesses are significant:

1. UAE-based entities: Any company, organization, or individual that is registered, incorporated, or has a physical presence in the UAE and engages in personal data processing activities falls under the scope of the PDPL, regardless of where their data subjects are located.
2. Global reach: UAE-based controllers and processors must comply with the PDPL even when processing personal data of individuals located outside the UAE. This extends the law's territorial scope beyond national borders.
3. Broad application: The law applies to both automated and non-automated data processing, covering a wide range of activities and technologies.
4. Compliance requirements: UAE-based entities must ensure compliance with all aspects of the PDPL, including data protection principles, data subject rights, and any specific obligations for controllers and processors.
5. Extra-territorial effect: International companies with subsidiaries or branches in the UAE need to be aware that their UAE operations will be subject to the PDPL, even if they process data of non-UAE residents.
6. Potential conflicts of law: UAE-based entities processing data of individuals in other jurisdictions may need to navigate potential conflicts between the PDPL and other applicable data protection laws.

It's important to note that while this provision establishes a broad scope of application, the UAE Federal PDPL also provides for potential exemptions. Article 3 grants the Office the power to exempt certain establishments that do not process large amounts of personal data from some or all of the law's requirements, subject to standards and controls set by the Executive Regulations.