Data protection compliance in the Gulf states is a complicated business, with many different laws and requirements.
There is no single data protection and privacy law that covers the GCC (Gulf Cooperation Council) countries. Instead, a number of local laws regulate data protection and privacy.
Moreover, even those countries that don’t have specific data protection laws enshrine individuals’ rights to privacy in certain circumstances in their constitutions.
The DHC (Dubai Healthcare City) and DIFC (Dubai International Financial Centre) free zones in the UAE (United Arab Emirates), and the QFC (Qatar Financial Centre) in the State of Qatar have also enacted their own data protection laws based on international best practice, which apply to organisations in their jurisdiction.
The GDPR’s scope
Notwithstanding these local laws, all organisations that process EU (European Union) residents’ personal data must comply with the GDPR (General Data Protection Regulation), which gives data subjects a number of rights and, among many other obligations, requires data controllers and processors to implement appropriate technical and organisational measures to protect personal data.
If your organisation processes EU residents’ personal data, you need to abide by the GDPR’s rules. Failure to do so could result in fines of up to €20 million or 4% of annual global turnover – whichever is greater.
Your obligations under the GDPR are outlined at the end of the article, but for more detailed guidance please take a look at our GDPR compliance checklist >>
Overview of data protection laws in the GCC
- Kingdom of Bahrain
Although there is no specific data protection law in Bahrain, its constitution contains provisions on confidentiality relating to postal, telegraphic, telephonic and electronic communications. There are also a number of laws that cover data protection and confidential information, including the Electronic Transactions Law, the Telecommunications Law and the Consumer Protection Law.
- State of Kuwait
Similar to Bahrain’s constitutional provisions, Kuwait’s constitution states that “The freedom of postal, telegraphic and telephonic communications is safeguarded
and their secrecy is guaranteed.” Accordingly, any information transmitted by these means is considered confidential.
- Sultanate of Oman
Oman’s constitution recognises individuals’ right to confidentiality in all forms of communication. In addition, a number of laws relate to the use of personal information, including the Electronic Transactions Law and the Cyber Crime Law.
- State of Qatar
Qatar’s Personal Data Privacy Law (Law No. 13 of 2016) applies to “personal data that is electronically processed, or obtained, gathered or extracted in preparation for electronic processing, or when a combination of electronic and traditional processing is used”.
Under the law, individuals must provide consent before their personal information can be used by an organisation, businesses cannot send direct marketing messages electronically without obtaining recipients’ prior consent and organisations must take necessary precautions to “protect personal data from loss, damage, modification, disclosure or being illegally accessed”.
- The QFC
The QFC’s Data Protection Regulations are based on international best practice.
Among other stipulations, they require data controllers to ensure that personal data is processed fairly, lawfully and securely; processed for specified, explicit and legitimate purposes; adequate, relevant and not excessive in relation to the purposes for which it is collected or further processed; accurate and, where necessary, kept up to date; and kept in a form that allows data subjects to be identified only for as long as is necessary for the purposes for which it was collected or is further processed.
There are six lawful bases for processing personal data, data transfers to jurisdictions outside the QFC can only take place if adequate levels of protection are applied and data subjects have a number of rights, including to obtain access, rectification, erasure and blocking; and to object.
Data controllers must implement appropriate technical and organisational measures to protect personal data from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and from all other unlawful forms of processing.
- Kingdom of Saudi Arabia
The legal system in Saudi Arabia is based on Sharia, under which the disclosure of secrets is prohibited. In addition to Sharia principles, Saudi Arabia has enacted a number of laws that affect the security of personal data, including the Anti-Cyber Crime Law, the Code of Ethics for Healthcare Practitioners, the Telecom Act and the Electronic Transactions Law.
- The UAE
The UAE’s constitution guarantees the secrecy and freedom of communication by post, telegraph or “other means of communication”.
NESA (the National Electronic Security Authority) was established in 2012 to improve the UAE’s cyber security. NESA produced the UAE IAS (Information Assurance Standards), compliance with which is mandatory for all government organisations and organisations in the critical infrastructure sector. The UAE IAS are based primarily on ISO 27001:2005, with additional controls taken from ISO 27001:2013 and NIST SP 800-53.
The 2012 cybercrimes law, meanwhile, criminalised the unauthorised access, alteration, interception, damage or use of data.
A number of sector-specific laws relate to data protection, including the Electronic Transactions and Commerce Law, and the Telecommunications Law.
- The DHC
The DHC is regulated by the Health Data Protection Regulation (Regulation No. 7 of 2013).
- The DIIC
Data protection in the DIFC is regulated by DIFC Data Protection Law – Law No. 1 of 2007 as amended by DIFC Law No. 5 of 2012 and the DPR (Data Protection Regulations – Consolidated Version No.2 In force on 23.12.2012).
EU data protection law: the GDPR
The GDPR came into effect on 25 May 2018, heralding a significant increase in responsibility for organisations that process EU residents’ personal data.
The GDPR applies to the processing of personal data wholly or partly by automated means, and processing other than by automated means of personal data that forms part of, or is intended to be part of, a filing system.
- To all processing that takes place on behalf of data controllers or processors that are established in the EU – irrespective of whether the actual processing takes place within the EU.
- To the processing of EU residents’ personal data irrespective of whether the data controllers or processors are within or outside the EU – if the processing activities are related to the offering of goods and services to EU data subjects or the monitoring of the behaviour of data subjects within the EU.
- Where Member State law applies by virtue of public international law.
Under the GDPR, the definition of personal data is much broader than under the 1995 DPD (Data Protection Directive) it supersedes, taking in biometric, genetic and locational data, email addresses and online identifiers such as IP addresses.
A personal data breach is defined in Article 4 of the GDPR as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” (i.e. data in any form).
Article 5 of the GDPR sets out six data processing principles.
- Lawfulness, fairness and transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation
Personal data must be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is permissible.
- Data minimisation
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay.
- Storage limitation
Personal data must be kept in a form that allows data subjects to be identified for no longer than is necessary. Personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to appropriate technical and organisational measures being implemented.
- Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 6 of the Regulation states that processing is lawful only if and to the extent that one of the following applies:
- ConsentThe data subject has given their explicit consent to the processing of his or her personal data for one or more specific purposes.
- ContractProcessing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract.
- Legal obligationsProcessing is necessary for compliance with a legal obligation to which the controller is subject.
- Vital interestsProcessing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public taskProcessing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Legitimate interestsProcessing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child. (This basis doesn’t apply to processing carried out by public authorities in the performance of their tasks.)
GDPR compliance checklist
If your organisation processes EU residents’ personal data, it’s very likely that the GDPR will require you to make changes to your data processing practices.