UAE Personal Data Protection Law (PDPL) — a compliance guide for businesses

The UAE's first comprehensive federal data protection law has been in force since January 2022 — and its Executive Regulation, in force since 2024, has sharpened the compliance obligations substantially. This guide sets out the law's scope, the obligations it imposes on businesses, and a practical compliance programme for UAE controllers and processors.

What is the UAE PDPL

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the PDPL) is the UAE's principal federal data protection statute. It entered into force on 2 January 2022, replacing a fragmented patchwork of sector-specific and emirate-level data protection provisions that had previously applied to different industries and geographic areas.

The implementing rules are set out in Cabinet Decision No. 33 of 2024 (the Executive Regulation), which entered into force in 2024 and provides detailed operational requirements on topics including data subject rights procedures, consent mechanisms, cross-border transfer safeguards, and data breach notification timelines. The UAE Data Office (UAEDO) is the national supervisory authority responsible for enforcing the PDPL and issuing supplementary guidance.

Structurally, the PDPL draws on international frameworks — particularly the EU General Data Protection Regulation (GDPR) and the OECD Privacy Guidelines — but is calibrated to the UAE regulatory and commercial environment. Key concepts such as lawful basis, data minimisation, purpose limitation, and data subject rights will be familiar to practitioners who have worked with GDPR-aligned regimes.

Important jurisdictional note: Two UAE financial free zones — the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) — have enacted their own data protection laws: the DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020) and the ADGM Data Protection Regulations 2021. These regimes are legally separate from the federal PDPL and are enforced by their own regulatory bodies. Entities established in DIFC or ADGM are governed by those laws, not the PDPL, for processing activities connected to those jurisdictions. See Section 9 below.

Territorial and material scope

The PDPL applies to the processing of personal data in two primary circumstances:

(i) Processing in the UAE: any controller or processor established in or operating from the UAE that processes personal data in connection with its activities in the UAE.

(ii) Extra-territorial scope: processing by entities outside the UAE where the processing relates to personal data of individuals located in the UAE — including where goods or services are offered to UAE residents, or where their behaviour is monitored. This brings multinational businesses, SaaS providers, e-commerce platforms, and analytics companies within scope even without a UAE physical presence.

What counts as personal data: any information that directly or indirectly identifies a natural person. This includes names, identification numbers, location data, online identifiers (IP addresses, device IDs, cookies), voice recordings, images, and any combination of information that can identify an individual. The PDPL separately categorises sensitive personal data (see Section 4) which attracts higher-standard obligations.

Exemptions from scope: the following are excluded from PDPL requirements:

• Government entities processing data in exercise of their official functions (subject to separate public sector data governance rules)
• Processing for security, judicial, or law enforcement purposes
• Processing by individuals for purely personal or family activities (household exemption)
• Processing for journalistic, literary, artistic, or research purposes, subject to conditions including anonymisation where feasible and proportionate use

Entities incorporated in DIFC and ADGM are not within scope of the federal PDPL for activities conducted within those jurisdictions. However, a company with onshore UAE operations alongside a DIFC or ADGM establishment will likely be subject to both the PDPL (for its onshore activities) and the relevant free zone law (for its free zone activities). Careful mapping of data flows across legal entities is essential.

Key obligations for data controllers

The PDPL distinguishes between data controllers (entities that determine the purposes and means of processing) and data processors (entities that process data on behalf of controllers). Controllers bear primary compliance obligations; processors must act only on controller instructions and are subject to data processing agreement requirements.

Lawful basis for processing

Every processing activity requires a lawful basis. The PDPL provides six bases:

(1) Consent — freely given, specific, informed, and unambiguous consent of the data subject (see Section 4 for detailed requirements). (2) Contractual necessity — processing necessary for the performance of a contract to which the data subject is a party, or to take pre-contractual steps at the data subject's request. (3) Legal obligation — processing necessary to comply with a legal obligation to which the controller is subject under UAE law. (4) Vital interests — processing necessary to protect the vital interests of the data subject or another natural person. (5) Public interest or official authority — processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority. (6) Legitimate interests — processing necessary for the purposes of legitimate interests pursued by the controller or a third party, except where those interests are overridden by the data subject's interests or fundamental rights.

Controllers must identify and document the lawful basis before commencing any processing activity. Relying on the wrong basis — for example, defaulting to consent when legitimate interests would suffice, or claiming legitimate interests for high-risk processing that requires consent — is itself a compliance violation.

Privacy notice requirements

Controllers must provide data subjects with a privacy notice at the time of data collection (or, where data is not collected directly, within a reasonable period). The notice must include: the identity and contact details of the controller; the purposes and legal basis for processing; the categories of data processed; recipients of the data including any cross-border transfers; the retention period; the data subject's rights and how to exercise them; and (where consent is the basis) the right to withdraw consent at any time without penalty.

Privacy notices must be written in plain, clear language accessible to the audience. For consumer-facing products targeting UAE residents, the notice should be available in Arabic. The UAEDO has issued guidance on layered notice formats appropriate for digital services.

Data subject rights

The PDPL confers the following rights on data subjects, which controllers must facilitate through defined procedures and within reasonable timeframes (typically 30 days, subject to extension):

• Right of access: the right to obtain confirmation of whether personal data is being processed and to receive a copy of that data together with supplementary information about the processing
• Right of rectification: the right to have inaccurate or incomplete personal data corrected or supplemented without undue delay
• Right of erasure (right to be forgotten): the right to have personal data deleted where it is no longer necessary for the purpose for which it was collected, consent has been withdrawn, the data has been unlawfully processed, or deletion is required by law
• Right to restriction of processing: the right to have processing temporarily suspended in specified circumstances, including while the accuracy of data is contested or an objection is being assessed
• Right to data portability: the right to receive personal data provided to the controller in a structured, commonly used, and machine-readable format, and to have that data transmitted to another controller where technically feasible
• Right to object: the right to object to processing based on legitimate interests or public interest, including profiling; the controller must cease processing unless it demonstrates compelling legitimate grounds overriding the data subject's interests

Controllers must have documented procedures for receiving, logging, and responding to data subject requests. Requests must not be refused on vexatious grounds. Where a request is refused, the controller must inform the data subject of the reasons and their right to complain to the UAEDO.

Data quality principles

The PDPL imposes four data quality obligations that should be operationalised in data governance processes: purpose limitation (data collected for one purpose may not be processed for an incompatible purpose); data minimisation (only data adequate, relevant, and limited to what is necessary for the stated purpose may be collected); accuracy (reasonable steps must be taken to ensure data is accurate and kept up to date); and storage limitation (data must not be retained in identifiable form for longer than necessary for the stated purpose).

Security obligations

Controllers and processors must implement technical and organisational measures appropriate to the risk of processing, including: encryption of data in transit and at rest; access controls and authentication mechanisms; regular security testing and auditing; staff training on data protection; and incident response procedures. The standard is risk-proportionate — higher-risk processing (large-scale sensitive data processing, profiling, automated decision-making) requires commensurately more robust security measures.

Consent requirements

Where processing is based on consent, that consent must meet four cumulative requirements under the PDPL: it must be specific (to a defined purpose, not bundled across multiple unrelated purposes); informed (given after receipt of a clear privacy notice); unambiguous (expressed through a clear affirmative act — pre-ticked boxes, silence, or inactivity do not constitute valid consent); and freely given (not conditioned on agreement to a contract or service where consent is not necessary for that contract).

Consent must be withdrawable at any time. Controllers must make withdrawal as easy as giving consent, and must stop processing within a reasonable time after withdrawal. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Special categories of sensitive personal data

The PDPL establishes a higher-protection category for the following types of data: health and medical data; biometric data (fingerprints, facial recognition, iris scans); genetic data; criminal records and judicial data; financial and credit data; and data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.

Processing sensitive personal data requires explicit consent — this is a heightened standard above ordinary consent, requiring the data subject to specifically consent to the sensitivity category (not merely to the processing in general). Even with explicit consent, additional safeguards are required: documented necessity assessment; restricted internal access on a need-to-know basis; enhanced security controls; and in high-risk scenarios, a Data Protection Impact Assessment (DPIA).

Limited exceptions to explicit consent exist for sensitive data: processing necessary for vital interests where the data subject is incapable of giving consent; processing by not-for-profit bodies in the context of their legitimate activities; processing for the establishment, exercise, or defence of legal claims; and processing required by law for employment or social protection purposes. These exceptions are narrow and must be documented carefully.

Cross-border data transfers

The PDPL prohibits the transfer of personal data outside the UAE unless one of the following conditions is satisfied. This applies to any transmission, remote access, or other sharing of data with recipients in non-UAE locations — including cloud services hosted outside the UAE, group company data sharing across borders, and use of foreign processors.

Adequate protection — approved countries list

Transfers are permitted to countries that the UAE Data Office has determined provide an adequate level of data protection equivalent to the PDPL. The UAEDO maintains and periodically updates this list. As at the date of this guide, the approved countries list includes a number of countries with GDPR-equivalent or strong data protection regimes. Controllers should verify the current list on the UAEDO website before relying on adequacy as a transfer basis.

Appropriate safeguards

Where the destination country is not on the adequacy list, transfers may proceed if the controller puts in place appropriate safeguards. The PDPL and Executive Regulation recognise the following safeguard mechanisms: (i) Standard Contractual Clauses (SCCs) — template contractual provisions approved by the UAEDO that contractually impose PDPL-equivalent protections on the overseas recipient; (ii) Binding Corporate Rules (BCRs) — approved intra-group policies that provide PDPL-equivalent protection across a multinational group; and (iii) approved codes of conduct or certification schemes where these have been endorsed by the UAEDO as providing adequate protection.

Controllers using SCCs or BCRs must conduct a transfer impact assessment to verify that the destination country's legal environment does not undermine the effectiveness of the safeguards. Where government access laws in the destination country would override contractual safeguards, additional measures (supplementary technical measures such as end-to-end encryption with keys held in the UAE, or restrictions on data types transferred) are required.

Specific derogations

In the absence of adequacy or safeguards, transfers may still occur under limited derogations: (i) the data subject has given explicit informed consent to the specific transfer after being informed of the risks; (ii) the transfer is necessary for the performance of a contract between the data subject and the controller (for example, booking international travel); (iii) the transfer is necessary for important reasons of public interest recognised by UAE law; (iv) the transfer is necessary for the establishment, exercise, or defence of legal claims; or (v) the transfer is necessary to protect vital interests of the data subject or others where the data subject cannot give consent.

Derogations are by definition exceptional — they cannot be used for systematic, large-scale, or routine transfers. Over-reliance on derogations is a regulatory risk; controllers should build a sustainable transfer mechanism (adequacy or SCCs) as the standard approach.

Data Protection Officer (DPO)

Appointment of a Data Protection Officer is mandatory under the PDPL for controllers in any of the following categories:

• Controllers whose core activities involve large-scale processing of sensitive personal data (health, biometric, genetic, financial, criminal records)
• Controllers conducting processing activities that are likely to result in high risk to the rights and interests of data subjects — including systematic profiling, large-scale monitoring of public areas, automated decision-making with significant individual impact
• Public authorities and government bodies, regardless of scale of processing

Where a DPO is required, the individual must have expert knowledge of data protection law and practice. The DPO can be an employee (internal DPO) or an external service provider (outsourced DPO) — the PDPL does not require the DPO to be based in the UAE, but they must be accessible to data subjects and the UAEDO. The DPO's contact details must be published and communicated to the UAEDO.

The DPO's principal functions are: advising the controller on PDPL compliance obligations; monitoring compliance with the PDPL and internal data protection policies; providing training and awareness to data processing staff; cooperating with the UAEDO on investigations and audits; and acting as the first point of contact for data subjects exercising their rights. Critically, the DPO must not receive instructions regarding the exercise of their tasks — they report directly to senior management and cannot be dismissed or penalised for performing their functions.

Controllers below the mandatory threshold — including most SMEs and businesses processing only ordinary employee and customer data at modest scale — are not legally required to appoint a DPO. However, voluntary appointment of a DPO or designation of a responsible data protection lead demonstrates accountability to regulators and can reduce investigative risk in the event of a complaint or incident.

Data breach notification

The PDPL introduces a mandatory data breach notification regime with two tiers of obligation:

Notification to the UAE Data Office: where a personal data breach is likely to result in harm to data subjects (reputational, financial, physical, or other harm), the controller must notify the UAEDO within 72 hours of becoming aware of the breach. The notification must include: a description of the nature of the breach; the categories and approximate number of data subjects affected; the categories and approximate volume of data records affected; the likely consequences of the breach; and the measures taken or proposed to address the breach.

Notification to data subjects: where the breach is likely to result in high risk to the rights of data subjects — for example, where sensitive data has been exposed or where the breach could enable identity fraud — the controller must also notify affected data subjects without undue delay. The notification to data subjects must describe the nature of the breach, the likely consequences, and the measures taken, in clear and plain language. Notification to data subjects may be delayed if it would prejudice an ongoing criminal investigation, subject to UAEDO guidance.

Controllers are exempt from the notification obligation to data subjects if: (i) the affected data was encrypted or otherwise rendered unintelligible such that the breach does not pose a risk; or (ii) the controller has taken subsequent measures that ensure the high risk no longer materialises. However, the controller must still notify the UAEDO even if the data subject notification exemption applies.

All personal data breaches — including those below the notification threshold — must be documented internally in a data breach register, recording the facts, effects, and remedial action taken. This register is subject to UAEDO inspection.

Penalties and enforcement

The PDPL establishes a graduated penalty framework enforced by the UAE Data Office. Administrative fines can reach AED 5,000,000 (approximately USD 1.36 million) per violation. This is the headline maximum; the UAEDO takes into account aggravating and mitigating factors including the nature, gravity, and duration of the violation; the number of data subjects affected; the level of damage or harm caused; whether the violation was intentional or negligent; and the controller's prior compliance history.

In addition to financial penalties, the UAEDO has power to order: cessation of processing activities pending compliance; erasure or destruction of unlawfully processed data; suspension of data transfers to third parties or overseas; public disclosure of violations (naming the non-compliant entity); and referral to prosecutors for criminal investigation.

Criminal liability: the PDPL provides for criminal liability — including imprisonment — for intentional violations. Specifically, intentional unlawful processing of sensitive personal data, intentional disclosure of personal data in breach of the PDPL's confidentiality provisions, and intentional obstruction of UAEDO investigations can attract criminal prosecution in addition to administrative penalties. Criminal referrals are made by the UAEDO to the Public Prosecution.

Repeat violations attract substantially higher penalties. The UAEDO has authority to double the maximum fine for second and subsequent violations within a defined period. This makes sustained non-compliance significantly more expensive than investment in an initial compliance programme.

The PDPL also creates civil liability — data subjects who suffer material or non-material damage as a result of a PDPL violation can bring civil claims for compensation through UAE courts. This is separate from and cumulative with UAEDO administrative enforcement.

DIFC and ADGM data protection

The DIFC and ADGM each operate autonomous legal systems within their respective free zones, with data protection regimes that are legally independent of the federal PDPL.

DIFC Data Protection Law 2020 (DIFC Law No. 5 of 2020, as amended) is modelled closely on GDPR. It applies to controllers and processors established in the DIFC, and to those outside DIFC that process personal data in connection with offering goods or services to DIFC-based individuals, or monitoring their behaviour. The enforcing authority is the DIFC Commissioner of Data Protection. Key features: DPO requirement for high-risk processors; mandatory DPIAs; cross-border transfer restrictions (adequacy list and standard clauses); 72-hour breach notification to the Commissioner; administrative fines up to USD 100,000 per violation (with multiple violations capable of aggregation). The DIFC maintains an adequacy list of jurisdictions, which includes the EU, UK, and a number of GCC states.

ADGM Data Protection Regulations 2021 are similarly GDPR-aligned, enforced by the ADGM Registration Authority. The substantive obligations are broadly equivalent: lawful basis requirements, data subject rights, transfer restrictions, DPO requirements, and breach notification. ADGM fines can reach USD 28,000,000 for the most serious violations — the highest data protection penalty in the UAE ecosystem — reflecting ADGM's ambition to be recognised as a GDPR-adequate jurisdiction for international financial services.

Practical implications for multi-entity groups: a corporate group with entities in both onshore UAE and DIFC/ADGM must comply with two (or three) separate data protection regimes. Data flows between the onshore entity and the DIFC/ADGM entity will constitute cross-border transfers requiring a lawful mechanism under the applicable law. Group-wide data protection policies, SCCs between entities, and a consolidated DPO structure (where one DPO is designated for the group across jurisdictions, with appropriate knowledge of each regime) are the most efficient compliance approach for such groups.

Compliance checklist

• Data mapping: conduct a comprehensive audit of all personal data held by the organisation — what data, where collected, why processed, who has access, where stored, how long retained, and whether transferred outside the UAE
• Lawful basis register: document the lawful basis for each processing activity; review and update when purposes change
• Privacy notices: review and update all customer, employee, and third-party privacy notices to comply with PDPL requirements; ensure Arabic version for consumer-facing services targeting UAE residents
• Consent mechanisms: audit consent collection mechanisms to confirm they meet specificity, transparency, freely-given, and affirmative-act requirements; implement consent withdrawal functionality
• Data subject rights procedures: implement logged, documented procedures for receiving and responding to access, rectification, erasure, portability, restriction, and objection requests within required timeframes
• Processor agreements: ensure all data processor relationships (IT vendors, cloud providers, payroll processors, marketing platforms) are governed by data processing agreements meeting PDPL requirements
• Cross-border transfer review: identify all overseas data transfers; map to UAEDO adequacy list or implement SCCs/BCRs; conduct transfer impact assessments for high-risk destination countries
• DPO assessment: determine whether a DPO is mandatory; if not mandatory, consider voluntary appointment; ensure DPO role and contact details are published if applicable
• Security assessment: conduct a technical and organisational security review proportionate to the risk profile of processing; document security measures; test incident response procedures
• Breach response plan: implement a documented breach response procedure covering detection, internal escalation, UAEDO notification within 72 hours, and data subject notification where required
• Training: deliver PDPL awareness training to all staff involved in data processing; document completion; refresh annually and when significant law changes occur
• DIFC/ADGM mapping: for groups with DIFC or ADGM entities, map obligations under each applicable regime and implement a coordinated compliance framework

Frequently asked questions

Related guides

• DIFC Data Protection Law — compliance guide for financial services
• UAE Corporate Tax — a practical compliance guide
• Media & Technology practice

Published 6 June 2026. General information only — not legal advice. Contact us for matter-specific advice.