Hey Everyone, Ive met with a roadblock with a prospect (billion dollar revenue company) based in UAE.
Their compliance regulatories are stopping from using Clay or other list building platforms. Would appreciate any insights on how anyone has worked around this.
“Our compliance team has sent this as the risk description
Clay maintains its own broker platform in addition to sourcing personal data from third-party providers. As the enriched data the company wants to use constitutes Personal Data under the UAE Federal Decree Law No. 45 of 2021 (PDPL), the company must have a valid lawful basis—consent—to process such data for data enrichment and profiling. Since the company will not collect this consent directly from data subjects, and Clay has confirmed it doesn’t have consent, instead relying on Legitimate interest. Under UAE PDPL, “legitimate interest” is not a lawful basis; therefore, the proposed processing is unlawful under UAE PDPL.
In jurisdictions where legitimate interest is available (e.g., ADGM and GDPR), regulatory practice shows that data enrichment, profiling, and data brokerage often fail the balancing test and subsequently the Legitimate Interest assessment, due to lack of transparency, unexpected processing and unreasonable intrusion into individuals’ privacy expectations. There is a high risk the company would also not be compliant with these regulations if it were to proceed. The company has sought external counsel on the use of data brokers, and they have confirmed that their use within the UK and the EU carries significant risk and has been subject to extensive regulatory enforcement. While many corporations do use them, the legality of their use in the EU remains questionable and poses a potential risk to our business.
Potential Consequences
Non-compliance with DP laws leading to enforcement action, litigation, reputational damage.”
Had a similair concern from a Canadian company due to CASL law.
