Article (30): Protection of Payment and Personal Data
2/2024 Issued on 14/6/2024
1.
A Licensed Payment Token Service Provider shall have in place and maintain adequate policies and procedures to protect Personal Data received or held by the provider and identify, prevent and resolve any data security breaches.
2.
Licensed Payment Token Service Providers may disclose such Personal Data to:
a)
a third party where the disclosure is made with the prior written consent of the Customer or is required pursuant to applicable laws;
b)
the Central Bank;
c)
other regulatory authorities upon request/following prior approval of the Central Bank;
d)
a court of law; or
e)
other government bodies who have lawfully authorized rights of access.
3.
In addition to the disclosures envisaged in Article (30)2, Licensed Payment Token Service Providers may also disclose Personal Data to the corresponding Data Subject.
4.
Licensed Payment Token Service Providers shall have in place and maintain Personal Data protection controls.
5.
Personal Data shall be stored and maintained in the UAE unless otherwise approved by the Central Bank. Licensed Payment Token Service Providers must also establish a safe and secure backup of all Personal Data in a separate location for the required period of retention of five (5) years.
6.
Licensed Payment Token Service Providers shall comply with applicable legal and regulatory requirements and standards on data protection, including as set out in or pursuant to the Consumer Protection Regulation. They shall control, process and retain only Personal Data that is necessary for the provision of Payment Token Services and upon obtaining the explicit consent of the Customer.