UAE Data Protection Law (PDPL): A Complete Compliance Guide for Businesses.

The UAE enacted its first comprehensive federal data protection legislation through Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (commonly referred to as the PDPL), which came into force on 2 January 2022. The Executive Regulations, issued in 2024, provide detailed implementation guidance. Together, these instruments establish a data protection framework that broadly aligns with international standards, including the EU General Data Protection Regulation (GDPR), while incorporating provisions specific to the UAE legal context. For businesses operating in the UAE, compliance is no longer optional.

Scope and Application

The PDPL applies to any person or entity that processes personal data of individuals within the UAE, regardless of where the processing takes place. It covers all forms of personal data — any information that can identify a natural person, directly or indirectly, including name, identification number, address, electronic identifiers, and biometric data.

Critically, the PDPL does not apply to: personal data processed by government entities (which are subject to separate regulations); personal data processed in the Dubai International Financial Centre (DIFC), which has its own Data Protection Law (DIFC Law No. 5 of 2020); personal data processed in the Abu Dhabi Global Market (ADGM), which is governed by the ADGM Data Protection Regulations 2021; health data processed in healthcare free zones, which may be subject to sector-specific health data regulations; and personal data processed by an individual for purely personal or domestic purposes.

This multi-layered regulatory landscape means that businesses operating across the UAE mainland, DIFC, and ADGM may simultaneously be subject to three different data protection regimes — a compliance challenge that requires careful mapping of data flows and processing activities.

The UAE Data Office

The PDPL establishes the UAE Data Office as the competent authority for data protection. The Data Office is responsible for: issuing guidance and regulations to support implementation of the PDPL; receiving and investigating complaints from data subjects; conducting audits and inspections; maintaining a register of data controllers and processors; and coordinating with international data protection authorities.

Lawful Bases for Processing

Personal data may only be processed on one of the following lawful bases: the data subject has given clear and unambiguous consent; processing is necessary for the performance of a contract to which the data subject is party; processing is necessary for compliance with a legal obligation; processing is necessary to protect the vital interests of the data subject; processing is necessary for the performance of a task carried out in the public interest; and processing is necessary for the legitimate interests of the controller, provided that such interests do not override the rights and freedoms of the data subject.

For sensitive personal data — defined to include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal record, biometric data, genetic data, and health data — explicit consent of the data subject is generally required, and processing must comply with additional safeguards set out in the Executive Regulations.

Data Subject Rights

The PDPL grants data subjects the following rights: the right of access (to obtain confirmation of whether personal data is being processed and to receive a copy of that data); the right to rectification (to have inaccurate personal data corrected without undue delay); the right to erasure (to request deletion of personal data where it is no longer necessary for the purpose for which it was collected); the right to restrict processing; the right to data portability (to receive personal data in a structured, commonly used, machine-readable format); the right to object to processing based on legitimate interests or for direct marketing purposes; the right not to be subject to automated decision-making (including profiling that produces legal effects); the right to withdraw consent at any time; and the right to lodge a complaint with the UAE Data Office.

Controllers must respond to data subject requests within 14 days, or within such longer period as may be prescribed by the Executive Regulations for complex requests.

Cross-Border Data Transfers

The PDPL restricts the transfer of personal data outside the UAE to countries or organisations that do not provide an adequate level of data protection. Transfers are permitted if: the receiving country or territory has been determined by the UAE Data Office to provide an adequate level of protection; the controller has put in place appropriate safeguards, such as standard contractual clauses or binding corporate rules approved by the UAE Data Office; the data subject has given explicit consent to the transfer after being informed of the potential risks; the transfer is necessary for the performance of a contract with the data subject; or the transfer is necessary for important reasons of public interest.

The UAE Data Office is responsible for issuing the list of countries deemed to provide adequate protection. Until such list is published, controllers should rely on standard contractual clauses or explicit consent for international transfers.

Data Protection Officer (DPO)

The PDPL requires certain controllers and processors to appoint a Data Protection Officer. The DPO must have expert knowledge of data protection law and practices, and must be free from conflicts of interest. The DPO's contact details must be provided to the UAE Data Office and made available to data subjects. The specific criteria triggering the DPO requirement — such as the volume of data processed or the nature of processing activities — are set out in the Executive Regulations.

Data Breach Notification

In the event of a personal data breach that is likely to result in harm to the data subject, the controller must notify the UAE Data Office without undue delay. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. The controller must also notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Penalties and Enforcement

The PDPL itself does not specify detailed penalty amounts — the Executive Regulations and subsequent implementing decisions set out the specific fines and sanctions. Enforcement is primarily through the UAE Data Office, which has the power to issue warnings, impose corrective measures, and levy administrative fines. For context, the DIFC Data Protection Law provides for fines up to USD 100,000 per violation, while the ADGM Data Protection Regulations allow fines of up to USD 28 million. Businesses should anticipate that federal penalties under the PDPL will be substantial, though the precise amounts await further regulatory guidance.

Practical Compliance Steps

To achieve compliance, businesses should: conduct a comprehensive data mapping exercise to identify all personal data processing activities, data flows, and cross-border transfers; determine the lawful basis for each processing activity; update privacy notices and consent mechanisms to meet the PDPL's transparency requirements; implement data subject request procedures with 14-day response timelines; establish data breach detection and notification processes; appoint a DPO if required under the Executive Regulations; review and update data processing agreements with third-party processors; implement appropriate technical and organisational security measures; and conduct a Data Protection Impact Assessment (DPIA) for high-risk processing activities.

GSDA Legal Consultants advises businesses across the UAE, DIFC, and ADGM on data protection compliance, privacy policy drafting, cross-border transfer mechanisms, data breach response, and regulatory engagement with the UAE Data Office. Contact our regulatory compliance team for a data protection readiness assessment.