This document establishes the Data Protection Protocol for The UAE baseline, measurement and reporting of food loss and waste study, ensuring compliance with UAE Federal Decree No. (45) of 2021 concerning the protection of personal data. It incorporates principles derived from relevant international frameworks while adhering strictly to UAE laws. The protocol outlines the measures and safeguards applied to the collection, processing, storage, and transfer of personal data. These measures aim to protect the rights of individuals, promote transparency, and mitigate risks of unauthorized access or breaches.
The scope of the project necessitates the collection of personal and demographic data, including interviews, food waste samples, and identifiable information such as names and addresses. All data-related activities will be conducted ethically and in full compliance with UAE regulations.
The primary aim of this protocol is to establish and enforce data protection measures that safeguard personal data collected during the project. These measures ensure the lawful, fair, and transparent processing of data, prevent misuse, and enable data subjects to exercise their rights. In addition, the protocol outlines the responsibilities of the project team and affiliated entities to maintain data confidentiality and integrity.
Data processing within the scope of the UAE baseline, measurement and reporting of food loss and waste study is conducted strictly in accordance with the UAE Federal Decree No. (45) of 2021. Personal data will be processed only when a legal basis is present, including explicit consent from data subjects, contractual necessity, compliance with legal obligations, or the pursuit of scientific research objectives. Special consideration will be given to the anonymization of data where identification is not required, ensuring privacy while achieving the project’s objectives.
The data collection process will prioritize transparency and fairness, ensuring that individuals understand why their data is being collected and how it will be used. Participants will provide explicit consent, documented through a project consent form, which will clearly explain:
Personal data will include names, addresses, contact information, household demographic details, and audio or video recordings of interviews. Collection methods will utilize secure technologies to minimize risks associated with unauthorized access or data breaches.
Personal data will be processed in a manner that aligns with the principles of lawfulness, fairness, and transparency. Processing activities will remain strictly limited to the purposes outlined at the point of collection. Measures such as pseudonymization and anonymization will be employed to ensure that identifiable information is protected wherever feasible. Access to personal data will be restricted to authorized personnel, who will handle the data according to their defined roles and responsibilities.
Additionally, robust data processing controls will be implemented to ensure that:
The security of personal data is of paramount importance. All data collected during the project will be stored securely, using encryption methods and access controls to prevent unauthorized access, breaches, or misuse. Physical data, such as signed consent forms (if any), will be kept in locked facilities with limited access.
Digital data will be encrypted both at rest and during transmission. Regular security audits will be conducted to ensure that these measures remain effective and compliant with evolving legal standards. Data retention will follow the principle of minimization, with personal data deleted or anonymized once it is no longer necessary for the project.
Data sharing within the project team and affiliated entities will be minimized and restricted to individuals and organizations with a legitimate need to access it. Any transfer of personal data outside the UAE will comply with Articles 22 and 23 of the Federal Decree. Transfers will only occur to jurisdictions with adequate data protection laws or when explicit consent from data subjects has been obtained. When possible, data will be anonymized before transfer to mitigate risks further.
Under UAE law, data subjects retain several rights, which this protocol fully supports. These rights include:
Clear procedures will be established for participants to exercise these rights. All requests from data subjects will be addressed promptly, and necessary actions will be taken to comply with legal requirements.
In the event of a data breach, an immediate assessment will be conducted to determine its nature and impact. Notification of the breach will be provided to the UAE Data Bureau within 72 hours, as required by law. Affected individuals will also be informed if the breach poses a risk to their privacy or data security.
Incident response measures will include documentation of the breach, mitigation actions to prevent recurrence, and a thorough review of the systems and protocols involved. The project team will cooperate fully with regulatory authorities during any investigations.
This protocol will be reviewed biannually to ensure continued compliance with UAE data protection laws and relevance to the project’s objectives. Amendments will be documented and communicated to all stakeholders. Changes in the scope of the project or applicable legislation will trigger immediate reviews to update the protocol as necessary.
As a participant in this project, you have specific rights concerning the personal data we collect, process, and store. You are entitled to request access to the personal data held about you and obtain confirmation regarding whether such data exists. Upon request, you can be informed about the content, purpose, and source of the data, and verify its accuracy. Should any inaccuracies be identified, you have the right to request corrections, deletions, or restrictions on the use of your data. Additionally, you may object to certain types of processing, depending on the circumstances.
Please note that restricting access to or use of your data may affect the delivery of services dependent on this information or compliance with legal obligations. To protect your privacy and ensure the security of your data, we may take steps to verify your identity before fulfilling your requests.