1. Introduction
Considering the demands of contemporary digital culture, the UAE enacted Federal Decree Law No. 45 of 2021—the Federal Personal Data Protection Law (“PDP Law”)—to implement Article 31 of the Constitution guaranteeing privacy rights. Effective January 2, 2022, with Executive Regulations following within six months, the PDP Law represents the first federal data-privacy framework developed in collaboration with major technology companies.
The PDP Law protects the personal data of UAE residents and applies both territorially and extraterritorially:
Exemptions include:
The PDP Law aligns the UAE with global best practices while reflecting local priorities. Businesses expanding into the UAE should leverage their GDPR frameworks, update policies, appoint DPOs and implement robust DPIAs to ensure seamless compliance.
Last updated: July 2025
Enacted as Federal Decree Law No. 45/2021 and effective January 2 2022, the PDP Law is the UAE’s first comprehensive federal data privacy framework, developed in line with Article 31 of the Constitution.
It applies to any for-profit entity processing personal data of UAE residents—whether based inside or outside the UAE—subject to CPRA-style thresholds. Exemptions include government bodies, free-zone entities under DIFC/ADGM laws, personal data for private use, judicial authorities, and banking/health data under other regimes.
Individuals have rights to access, rectify, erase, restrict or object to processing, and data portability. These mirror GDPR rights but may be limited for national security, public order, or repetitive requests.
Conduct a Privacy Impact Assessment (DPIA) evaluating purpose, scope, data uses, and risks to data subjects—and implement mitigation measures before deployment.
Only to jurisdictions with “adequate” data protection per Art. 22. If adequacy is absent, businesses may rely on exceptions such as Standard Contractual Clauses under Art. 23.
Both have extraterritorial reach and similar data subject rights. The PDP Law relies mainly on consent (with limited exceptions), while GDPR provides six legal bases. GDPR has detailed children’s data provisions; the PDP Law does not.
Administrative fines may be imposed by the Council of Ministers upon complaint to the Data Office. Specific amounts are determined by regulation and are designed to align with global best practices.
Enforcement is overseen by the UAE Data Office, which may investigate breaches, impose injunctions, and recommend fines to the Council of Ministers.
Newsletter
Don't miss our future updates! Get subscribed today!
CONTACT
136/2, Rameshwar Nagar, Model Town, New Delhi – 110033