Question 1

Which UAE data protection law applies to my business?

Accepted Answer

Three regimes apply in parallel. (1) Federal PDPL (Federal Decree-Law 45 of 2021) — applies to processing of personal data of UAE-located data subjects, including extraterritorial reach to non-UAE controllers/processors processing such data; the UAE Data Office is the federal regulator. (2) DIFC Data Protection Law 5 of 2020 — applies to controllers and processors established in the DIFC and to processing carried out in the context of DIFC activities; the Commissioner of Data Protection is the regulator. (3) ADGM Data Protection Regulations 2021 — applies in ADGM with the Office of Data Protection as regulator. Several sector-specific regimes overlay (CBUAE for banks, DHA/DOH/MOHAP for health data, TDRA for telecom, SCA for securities). The right answer is regime-by-regime mapping based on (a) where you are established, (b) where data subjects are, and (c) the activity context.

Question 2

Are we a controller or a processor?

Accepted Answer

The classification is fact-driven — controller is the entity that determines purposes and means of processing; processor processes on the controller's behalf. UAE PDPL, DIFC and ADGM follow the GDPR-derived dichotomy. Real-world ambiguity arises with: SaaS vendors (often joint controllers for analytics, processors for customer data); marketplaces (controller for platform data, processor for merchant-side); employee benefits administrators (typically processor, but joint controller for some matters); cloud infrastructure (processor, but with sub-processor obligations). Misclassification is a common audit finding — and it changes everything downstream (contracts, breach obligations, transfer mechanisms).

Question 3

Do we need to appoint a Data Protection Officer?

Accepted Answer

PDPL Article 10 requires DPO appointment where: (i) processing is likely to result in high risk to data subjects following risk assessment; (ii) processing involves systematic monitoring of personal data on a large scale; or (iii) processing involves large-scale processing of special-category data (health, biometric, genetic, etc.). DIFC Law 5/2020 imposes a DPO requirement for data controllers carrying out high-risk processing. ADGM Regulations 2021 are similar. The DPO does not need to be a UAE resident or employee but must have unimpeded access to top management. We routinely act as outsourced DPO under engagement-letter terms — particularly for non-UAE groups establishing UAE operations.

Question 4

What are the breach-notification obligations?

Accepted Answer

PDPL Article 9 requires notification of personal-data breaches to the UAE Data Office, with notification to affected data subjects where the breach is likely to cause harm. The Implementing Regulations (Cabinet Decision pending — interim guidance applies) clarify the 72-hour standard for regulator notification, the content requirements (nature of breach, categories and approximate number of data subjects affected, likely consequences, remediation measures), and the data-subject notification trigger thresholds. DIFC and ADGM impose comparable 72-hour notification standards. Sector-specific regimes (CBUAE for banks, DHA for health data) may impose additional or shorter notification windows. We run breach-response retainers with pre-agreed notification templates and 24/7 partner cover.

Question 5

How are cross-border data transfers handled?

Accepted Answer

Cross-border transfer of personal data out of the UAE under PDPL requires either: (a) transfer to a country with adequate protection (the Cabinet to publish a list — pending); (b) appropriate safeguards (binding corporate rules, standard contractual clauses approved by the UAE Data Office, certification mechanisms, codes of conduct); or (c) specific exceptions (data-subject consent, contract performance, public interest, vital interests, legal claims). DIFC and ADGM operate adequacy + SCC frameworks aligned to EU GDPR Chapter V. Practical reality: most multinationals run the same SCC architecture they use for GDPR, supplemented by UAE-specific intra-group agreements. Russia / China data flows attract heightened scrutiny.

Question 6

What about marketing and consent?

Accepted Answer

PDPL Article 6 requires consent as a primary lawful basis (with limited alternative bases — performance of contract, legal obligation, vital interests, public interest, balanced legitimate interests). Marketing consent must be specific, informed, freely given and easy to withdraw. WhatsApp / SMS marketing additionally interacts with TDRA's anti-spam framework (TRA Marketing Communications Resolution and the Federal SPAM regulation). UAE consent rules are stricter than email-only marketing in some Western jurisdictions — pre-checked boxes, package-deal consents and continuing-relationship assumptions all fail. We routinely re-paper consent flows for UAE-targeted marketing.

Question 7

What are PDPL fines and enforcement?

Accepted Answer

The PDPL Implementing Regulations set the fine schedule for breaches — current published guidance contemplates fines from AED 50,000 up to AED 5,000,000 per breach, with aggravation for repeat offences and large-scale breaches. The DIFC Commissioner can issue administrative fines up to USD 100,000 per breach plus enforcement orders. ADGM Office of Data Protection can issue similar penalties. Regulator-action defence — particularly for cross-border groups facing parallel UAE / DIFC / ADGM action plus the home-jurisdiction equivalent (GDPR ICO / CNIL / DPC) — is a specialist exercise that benefits from coordinated counsel.

UAE Data Protection — federal PDPL, DIFC, ADGM and the sector overlays.

What we do for controllers, processors and DPOs.

Compliance build-out

DPO services

Breach response & enforcement

Specialist matters

Frequently asked questions

PDPL build-out, breach or regulator action?