Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.
Find out moreThis Edition of Law Update, From Africa to Asia: Legal Narratives of Change and Continuity, takes you on a journey through dynamic markets.
Africa is undergoing a tech-driven transformation, overcoming regulatory challenges while its startup ecosystem thrives. India’s legal framework is evolving rapidly, keeping pace with its expanding economy and diverse business environment.
We also dive into China’s regulatory shifts, particularly how they are shaping investments in the MENA region, and explore Korea’s innovative global partnerships, which are driving advancements in industries across the UAE and beyond.
Read NowSana Saleem - Associate - Digital & Data
Nick O’Connell - Partner, Head of Digital & Data - Saudi Arabia - Digital & Data
November 2016
In a data protection context, a ‘data controller’ can broadly be understood as someone (usually a corporate entity) who determines the purposes for which personal data is processed. ‘Personal data’ can generally be understood as data relating to an identifiable natural person, and a ‘data subject’ can be understood as the identifiable natural person to whom such personal data relates. The concept of ‘processing’ is very broad, and can include the collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, combination, erasure or destruction of personal data.
Information obligations
Data controllers need to provide data subjects with certain information to ensure that the processing of such data subjects’ personal data is fair and legitimate. This needs to be considered when preparing or reviewing privacy policies intended to serve as formal notification to data subjects of such personal data processing activities.
Whether or not personal data is collected directly from data subjects, in each of the relevant jurisdictions data subjects must be informed of the identity of the data controller, the purposes of the intended processing of personal data, and any further information necessary to guarantee fair processing in relation to the data subject; having regard to the specific circumstances in which the personal data is collected. The latter may include:
Where personal data is collected directly from the data subject, information on whether replies to questions are obligatory or voluntary, as well as the possible consequences of failure to reply, should also be communicated to the data subject to ensure fair processing. Where personal data is not collected directly from the data subject, information on the category of personal data concerned should also be communicated to the data subject to ensure fair processing.
The data controller need not provide information that the data controller reasonably expects the data subject already has. Additionally, in the case of personal data not collected directly from the data subject, the provision of the information contemplated above is not required if it proves impossible to do so or would involve a disproportionate effort.
The manner in which such information is communicated to the data subject is not prescribed, although it needs to be consistent with the general obligation to process personal data fairly.
Right to access; right to rectify
In addition to the right to be provided with certain information as outlined above, the data protection laws and regulations in the DIFC, ADGM and QFC also provide data subjects with certain other rights with regard to access to, and rectification, erasure or blocking of, personal data, as well as a right to object to processing.
A data subject has the right to obtain from the data controller upon request, at reasonable intervals and without excessive delay or expense:
A data subject also has the right to object to the processing of personal data at any time on reasonable grounds relating to the data subject’s particular situation; and the right to be informed before personal data is disclosed for the first time to third parties or used for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses.
Data subject access rights do not apply to the actions of the various regulators, authorities and companies’ registrars in the relevant jurisdictions if the application of such provisions would be likely to prejudice the proper discharge of the powers and functions of these entities, in so far as those powers and functions are designed to protect members of the public against dishonesty, malpractice or other seriously improper conduct.
Data controllers operating in the DIFC, ADGM and QFC need to be aware of their obligations with regard to properly informing data subjects of personal data processing involving such data subjects’ personal data, and addressing legitimate data subject access requests.
Al Tamimi & Company’s Technology, Media & Telecommunications team regularly advises on data and data protection issues throughout the Middle East. For further information please contact Nick O’Connell (n.oconnell@tamimi.com) or Sana Saleem (s.saleem@tamimi.com).
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.