What does the law say?
We use the term “data protection” to describe the principles, policies and procedures used to ensure personal information is handled properly by the person to whom it is given. In some countries, there are substantial data protection laws and regulations controlling how your personal information is used by organisations, businesses and government (for example, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)). Although it is an EU Regulation, the GDPR also applies to businesses operating outside the EU if they offer goods or services EU persons (data subjects) or monitor their behaviour. ADGM and DIFC each have comprehensive data protection legislation but the laws on this subject are less developed outside these free zones. However, some of the region’s civil and criminal laws address a person’s right to privacy.
If it isn’t compulsory, why do I need one?
But I only collect the personal information so I can deliver my product to my customer.
Personal information may be collected for a variety of reasons. You may only collect names and email addresses as a first “sign up for more information” or registration step. You may need physical address, phone number and credit card details to complete the sale of your products and deliver them to your customer. You may ask your customers to complete a feedback form which provides additional demographic information about them which you would like to use as part of a future marketing campaign. The end purpose does not matter: it is the collecting of the personal information that is important.
• What personal information will you collect?
• How will your business collect the personal information?
• How will your business use the personal information you collect?
• How will you manage the personal information you collect?
• Who else will see or use the personal information?
• If your business will transfer the personal information to others, can the user opt out of sharing their personal information with those third parties?
What else do I need to know?
• Children and minors: If your business is aimed at children, or you collect personal information which indicates children are users of your website, consider whether you should take additional steps in relation to this information e.g. parent/legal guardian consent. The legal age of majority in the UAE is 21 years (i.e. the age at which a person is considered an adult).
• Third party APIs: If your website uses APIs licensed by social networking sites (e.g. Facebook or Twitter), you must comply with their policies and they may impose additional requirements on you in relation to data protection.