United Arab Emirates Data Privacy
Overview
Federal Decree Law No. 45 of 2021 on the Protection of Personal Data (“PDPL”) regulates the collection, use and processing of personal data in the UAE (excluding the Dubai Financial Centre (“DIFC”) and the Abu Dhabi Global Market (“ADGM”)) (“onshore UAE”). The PDPL sets out the conditions for lawful processing and protection of personal data. The PDPL states that Executive Regulations will be issued to supplement the PDPL. These Executive Regulations have not been issued to date.
The PDPL does not apply in the DIFC and the ADGM. Both the DIFC and the ADGM have their own data protection regulations which are not addressed on this webpage.
AWS is vigilant about customers’ privacy and data security. Security at AWS starts with our core infrastructure. Custom-built for the cloud and designed to align with the most stringent security requirements in the world, our infrastructure is monitored 24x7 to help ensure the confidentiality, integrity, and availability of our customer's data. The same world-class security experts who monitor this infrastructure also build and maintain our broad selection of innovative security services, which can help customers simplify meeting their own security and regulatory requirements. As an AWS customer, regardless of customers’ size or location, our customers benefit from our experience, and support of the highest privacy standards and compliance certifications.
AWS implements and maintains technical and organizational security measures applicable to AWS cloud infrastructure services under globally recognized security assurance frameworks and certifications, including ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and SOC 1, 2, and 3. These technical and organizational security measures are validated by independent third-party assessors, and are designed to prevent unauthorized access to or disclosure of customer content.
For example, ISO 27018 is the first International code of practice that focuses on the protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to Personally Identifiable Information (PII) processed by public cloud service providers. The ISO 27018 certification demonstrates to customers that AWS has a system of controls in place that specifically address the privacy protection of their content.
These comprehensive AWS technical and organizational measures are consistent with the goals of the APPs to protect personal data. Customers using AWS services maintain control over their content and are responsible for implementing additional security measures based on their specific needs, including content classification, encryption, access management and security credentials.
AWS does not have visibility into or knowledge of what customers are uploading onto AWS Services. Customers are ultimately responsible for their own compliance with the PDPL and other data protection and privacy laws applicable to them. The content on this page supplements the existing Data Privacy resources to help customers align their requirements with the AWS Shared Responsibility Model when they store and process personal data using AWS services.
-
What is identified as “Personal Data” under the PDPL?
"Personal Data" is defined as "any data relating to an identified natural person, or a natural person one who can be identified, directly or indirectly, through the by way of linking of data, by reference to an identifier using identifiers such as his name, voice, image picture, identification number, online identifier, geographical geographic location, or one or more special features that express the physical, physiological, psychological, economic, cultural or social characteristics. identity of such person."
-
To whom does the PDPL apply?
The PDPL applies to controllers and processors:
- located in onshore UAE who process personal data of data subjects inside or outside of onshore UAE;
- located outside of onshore UAE who process personal data of data subjects in onshore UAE.
The PDPL does not apply:
- in the UAE financial free zones, being the DIFC and the ADGM;
- to government data, government authorities that control or process personal data, or security and judicial authorities that process personal data;
- to a data subject’s use of personal data for personal purposes; or
- to personal health data and information, or personal banking and credit data and information;
as such above-referenced personal data and information is covered by separate legislation not addressed on this webpage.
as such above-referenced personal data and information is covered by separate legislation not addressed on this webpage.
-
What are the PDPL’s requirements for cross border data transfers?
The PDPL allows for the cross-border transfer of personal data subject to the following conditions:
- Transfer of personal data to a country with equivalent and adequate data protection legislation is permitted if one of the following applies:
- The country or territory where the personal data will be transferred has special legislation on the protection of personal data. The list of countries which have equivalent and adequate data protection legislation has not yet been made publicly available.
- Where the UAE is party to an agreement with another country to which personal data is to be transferred, acknowledging that such other country’s data protection regulation(s) adequately protects the personal data of data subjects in the UAE.
- Transfer of personal data to a country with inadequate or no data protection legislation is permitted if one of the following applies:
- Under a contract or agreement that obliges the party in such country (i.e. the party receiving and processing the data in such other jurisdiction) to implement the provisions, measures, controls and requirements set out in the PDPL, including provisions related to imposing appropriate measures on the controller or processor through a competent supervisory or judicial authority in such country, to be specified in the contract.
- Where there is express consent of the data subject to transfer his/her personal data outside of onshore UAE in a manner that does not conflict with the security and public interest of the UAE.
- If the transfer is necessary to fulfill obligations and establish, exercise or defend rights before judicial authorities.
- If the transfer is necessary to enter into or execute a contract between the controller and data subject, or between the controller and a third party to achieve the data subject's interest.
- If the transfer is necessary to perform a procedure relating to international judicial cooperation.
- If the transfer is necessary to protect the public interest.
- Transfer of personal data to a country with equivalent and adequate data protection legislation is permitted if one of the following applies:
-
What is the customer’s role in securing their content?
Under the AWS Shared Responsibility Model, AWS customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site data center. Customers can build on the technical and organizational security measures and controls offered by AWS to manage their own compliance requirements. Customers can use familiar measures to protect their data, such as encryption and multi-factor authentication, in addition to AWS security features like AWS Identity and Access Management.
When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between:
- Security measures that AWS implements and operates – "security of the cloud", and
- Security measures that customers implement and operate, related to the security of their customer content and applications that make use of AWS services – "security in the cloud"
-
Who can access customer content?
Customers maintain ownership and control of their customer content and select which AWS services process, store and host their customer content. AWS does not have visibility into customer content and does not access or use customer content except to provide the AWS services selected by a customer or where required to comply with applicable law or a binding legal order.
Customers using AWS services maintain control over their content within the AWS environment. They can:
- Determine where it will be located, for example the type of storage environment and geographic location of that storage.
- Control the format of that content, for example plain text, masked, anonymized or encrypted, using either AWS provided encryption or a third-party encryption mechanism of the customer’s choice.
- Manage other access controls, such as identity access management and security credentials.
- Control whether to use SSL, Virtual Private Cloud and other network security measures to help prevent unauthorized access.
This allows AWS customers to control the entire life-cycle of their content on AWS and manage their content in accordance with their own specific needs, including content classification, access control, retention and deletion.
-
Where will customer content be stored?
AWS data centers are built in clusters in various locations around the world. We refer to each of our data center clusters in a given location as a "Region."
AWS customers choose the AWS Region(s) where their content will be stored. This allows customers with specific geographic requirements to establish environments in the location(s) of their choice.
Customers can replicate and back up content in more than one Region, but AWS does not move customer content outside of the customer’s chosen Region(s), except to provide services as requested by customers or comply with applicable law.
-
How does AWS secure its data centers?
The AWS data center security strategy is assembled with scalable security controls and multiple layers of defense that help to protect customers’ information. For example, AWS carefully manages potential flood and seismic activity risks. We use physical barriers, security guards, threat detection technology, and an in-depth screening process to limit access to data centers. We back up our systems, regularly test equipment and processes, and continuously train AWS employees to be ready for the unexpected.
To validate the security of our data centers, external auditors perform testing on more than 2,600 standards and requirements throughout the year. Such independent examination helps ensure that security standards are consistently being met or exceeded. As a result, some of the most highly regulated organizations in the world trust AWS to protect their data.
Learn more about how we secure AWS data centers by design by taking a virtual tour »
-
Which AWS Regions can I use?
Customers can choose to use any one Region, all Regions or any combination of Regions. Visit the AWS Global Infrastructure page for a complete list of AWS Regions.
In addition, Customers can now run their applications and workloads in the AWS Middle East (UAE) Region to reduce latency to the customer's end-users while avoiding the up-front expenses, long-term commitments, and scaling challenges associated with maintaining and operating their own infrastructure.
-
What security measures does AWS have in place to protect systems?
The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Amazon's scale allows for a significant investment in security policing and countermeasures. AWS Cloud infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services, which provide powerful controls to customers and APN Partners, including security configuration controls, for the handling of personal data. More details on the mechanisms that AWS has implemented to manage risk on the AWS side of the Shared Responsibility Model, and the tools that customers can leverage to gain assurance that these mechanisms are being implemented effectively can be found in the AWS Risk and Compliance.
AWS also provides several compliance reports from third-party auditors who have tested and verified our compliance with a variety of security standards and regulations - including ISO 27001, ISO 27017, and ISO 27018. To provide transparency on the effectiveness of these measures, we provide access to the third party audit reports in AWS Artifact. These reports show our customers and APN Partners, who may act as either data controllers or data processors, that we are protecting the underlying infrastructure upon which they store and process personal data. For more information, visit our Compliance Resource.