Credit information and data protection in the UAE

Nick O’Connell - Partner, Head of Digital & Data - Saudi Arabia - Digital & Data

Sana Saleem - Associate - Digital & Data

June 2014

In this article, we provide some further background to the role of the Credit Bureau, and comment on some of the data protection considerations addressed in the related law and regulations.

Al Etihad Credit Bureau was established in 2010 pursuant to Federal Law No. 6 of 2010 (Credit Information Law). The recent approval of Cabinet Resolution No. 16 of 2014 (Regulations) provides greater visibility of some of the operational aspects of the Credit Bureau.

The Credit Bureau was established to provide a single source of reliable data regarding credit information relating to natural and legal persons in the UAE. The basic intention is to enable lenders to better assess the credit-worthiness of prospective borrowers, and to provide a mechanism for limiting the ability of borrowers to take on unserviceable levels of debt.

Commercial banks and financial institutions in the UAE are required to provide the Credit Bureau with the credit information it requests. The Credit Bureau is entitled to specify the form in which such data is to be provided. The release of such information to the Credit Bureau in accordance with the Credit Information Law and Regulations will not be considered a breach of confidentiality.

Credit information reports issued by the Credit Bureau will include financial details of the concerned person (including details of any assets burdened with any types of pledge or guarantee), information on the concerned person’s failure to pay any amount to the information provider, and court decisions involving the concerned person. Reports will not include the likes of the value of mortgaged assets, details of the concerned person’s investments or amounts deposited with the information provider, or the information provider’s credit rating assessment of the concerned person.

The gathering of credit information raises a number of concerns from a data protection perspective. The Credit Information Law and its Regulations seek to address these in a number of ways, examples of which include:

  • a prohibition on the collection and circulation of data or details that relate to a person’s private life, opinions, beliefs or health condition;
  • a requirement to obtain the consent of the data subject before issuing any credit information reports relating to such person;
  • a requirement to use information gathered only for the purposes for which it has been provided;
  • an obligation on recipients of credit information to keep such information confidential;
  • an obligation on the Credit Bureau to use modern systems to maintain credit information, and to implement suitable security and information security mechanisms, and
  • the right of the data subject to request the correction of errors relating to his or her credit information.

Pursuant to the Credit Information Law, the Credit Bureau has an exclusive right to request, collect, keep, analyse, classify, use and circulate financial data relating to the financial obligations of any person. There is a prohibition on any other person or entity conducting such operations. On its face, this provision will ensure that credit information collection and reporting is centralised with a single entity; in a small country such as the UAE this approach seems practical.

The Credit Information Law penalises a number of offences. These include penalties of up to two years’ imprisonment, a fine of AED 50,000, or both, for anyone who reveals credit information other than as authorised by the Credit Information Law or its Regulations, and the same penalty for anyone who obtains credit information without obtaining the approvals required pursuant to the Credit Information Law or Regulations, or by using fraudulent methods or incorrect information. Violation of any provision of the Credit Information Law, where a specific penalty is not provided, is also an offence attracting imprisonment, a fine of AED 10,000, or both.

With the cooperation of commercial banks and financial institutions, the Credit Bureau is expected to fulfil an important function in the UAE economy, by providing a means by which lenders can manage their risk, and by reducing the number of borrowers over-exposed to unserviceable levels of debt.

Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on data protection issues, including in the context of financial services. For further information about these matters, please contact Nick O’Connell –