The Impact of the UAE’s New Data Protection Law on Labor Law

The PPDL has extraterritorial effect and applies to both controllers and processors, inside and outside the UAE, that process personal data of individuals located or having a place of business in the UAE. However, the scope of application does not extend to companies located in free trade zones with special personal data protection laws. For these companies, the relevant regulations of the respective free trade zone continue to apply.

 

For the data controller is any entity or natural person who holds personal data and who, by the nature of its ac­ti­vi­ties, determines the method, criteria and purpose of processing, while a processor is anyone who processes personal data on behalf of the controller. Data processing is any operation performed upon personal data using electronic means, such as collection, storage or transmission.

 

Personal data, on the other hand, are all data or information relating to an identified natural person or by which such a person can be identified, such as name, image or address, but also other characteristics that are an ex­pression of physical, mental, economic, cultural or social identity. For example, by collecting and storing per­so­nal data of employees by electronic means, the employer processes such data and becomes a data controller in the sense of the PPDL. He is therefore obliged to comply with the relevant regulations.

 

While data controllers are generally obliged to obtain the consent of the data subject for the processing of per­sonal data, Art. 4 No. 8 PPDL contains an exception for the case that the processing is necessary for the data controller or the data subject to fulfill their obligations and exercise their rights in connection with the employ­ment relationship, insofar as this is permitted under the Labor Code. It follows that the processing of personal data of employees by the employer, for example, for the purpose of keeping records and registers of employees pursuant to Art. 13 No. 1 of the Labor Code does not require consent. The same applies pursuant to Art. 4 No. 4 PPDL if the processing is necessary for occupational health purposes and for assessing an employee’s fitness for work. However, the legislator does not provide a legal definition for the criterion of “necessity” within the meaning of Art. 4 PPDL, so that it remains unclear – also in the absence of established case law and the issu­ance of the Implementing Regulation – how this is to be interpreted and, in this respect, a consent clause should be included in new employment contracts in borderline cases.

 

For any further processing of employees’ personal data that is not covered by these exceptions, the employer must obtain their consent in accordance with Art. 6 PPDL. The consent must be given in a clear, simple, unambiguous and easily accessible form (in writing or electronically) and must refer to the data subject’s right of withdrawal.

 

Regardless of whether consent is required or not, the PPDL obliges data controllers to inform data subjects prior to the processing of their personal data about the purpose of the processing, any sectors or entities with which the personal data is to be shared, and any measures for the protection of personal data in the event of a possible transfer abroad. Also in this regard, an individual regulation must be included in the employment contract.

 

However, the transfer of personal data abroad – with the exception of the circumstances set out in Art. 23 of the PPDL – is only permissible if an adequate level of data protection is also guaranteed in the country of the recipient by comparable laws (such as the GDPR in the case of EU countries) or international agreements, or if the foreign recipient of such data contractually undertakes to implement an adequate level of data protection. In this respect, a clause should already be included in the employment contract as a precautionary measure for the employee's consent to any data transfer.

 

In addition, the legal regulations require employers to take appropriate technical and organizational measures – for example, in the form of encryption or pseudonymization – to ensure the confidentiality and security of em­ployee data. When processing such data, the employer must comply with and ensure the principles set out in Art. 5 PPDL, including the fairness, transparency and lawfulness of the processing or the limitation of the data to the actual purpose of the data processing.

 

In certain cases, such as the processing of large amounts of sensitive personal data, a sufficiently qualified data protection officer must also be appointed to ensure an adequate level of data protection. Sensitive per­so­nal data includes, in particular, data relating to a person’s family, religious beliefs, criminal record or health.

 

Furthermore, the law grants employees a right to information regarding the personal data processed by the em­ployer in Art. 13, as well as a right to its communication in Art. 14 PPDL. In addition, the employee may request the rectification or completion in case of inaccuracy, as well as the deletion of personal data if they are no longer necessary for the purpose for which they are processed. However, this is not expected to affect the employer’s obligation under Art. 13 No. 1 of the Labor Code to keep records of employees for a period of at least two years after termination of the employment relationship.

 

The PPDL provides in Art. 29 PPDL an implementation period of six months for controllers and processors to adjust their status and ensure all obligations. However, this period does not start until the date of publication of the implementing regulation, which does not yet exist at this point in time. It is to be expected that the Implementing Regulation will further specify the legal provisions and insofar the rights and obligations as well as their implementation.